1、Chapter 2 Planning for Security,Presented by: Ryan Horvath, Jennifer Kaufman, Sergey Morozov & Kalagee Shah,2,Outline,The Role of Planning Precursors to Planning Values Statement Vision Statement Mission Statement Strategic Planning Creating a Strategic Plan Planning Levels Planning and the CISO(Chi
2、ef Info Security Officer) Planning for Information Security Implementation,3,Chapter Objectives,Identify the roles in organizations that are active in the planning process Grasp the principal components of information security system implementation planning in the organizational planning scheme.,4,C
3、hapter Organization,5,Planning Influences,Employees Management Stockholders Outside stakeholders Physical environment Political and legal environment Competitive environment Technological environment,6,Information Security Professionals,Professionals that support the information security program Chi
4、ef Information Officer (CIO) Chief Information Security Office (CISO) Security Managers Security Technicians Data Owners Data Custodians Data Users,Slide 6,7,Planning Definition,Planning is creating action steps toward goals and then controlling them Provides direction for the organizations future A
5、llows managing resources Optimizes the use of the resources Coordinates the effort of independent organizational units,8,Precursors to Planning,Values Statement Vision Statement Mission Statement,9,Values Statement,Principles Qualities Benchmarks What your company is? Microsoft: Integrity, honesty,
6、passion, and respectfulness are significant parts of Microsofts corporate philosophy,10,Vision Statement,Ambitious Best-case scenario Future goals Where your company wants to be? Microsoft: A personal computer in every home running Microsoft software,11,Mission Statement,Organizations business Areas
7、 of operation Internal External How your company is going to get there? Google: Organize the worlds information and make it universally accessible and useful.,12,Strategic Planning,Strategy lays out the long-term direction to be taken by organization It guides organizational efforts, and focuses res
8、ources toward specific, clearly defined goals. Strategic planning includes Mission statement Vision statement Values statement Coordinated plans for sub units,13,Creating a Strategic Plan,Organization Develops a general strategy Creates specific strategic plans for major divisions Each level of tran
9、slates those objectives into more specific objectives for the level below,14,Top-Down Strategic Planning,15,Creating a Strategic Plan,Strategic goals are translated into tasks Specific Measurable Achievable Realistic Timely,16,Planning Levels,Strategic Planning Five or more year focus Strategic plan
10、 separated into strategic goals for each department Tactical Planning One to three year focus Breaks strategic goals into a series of incremental objectives,17,Planning Levels,Operational Planning Organize the ongoing, day-to-day performance of tasks Includes clearly identified coordination activiti
11、es across department boundaries Communications requirements Weekly meetings Summaries Progress reports,18,Planning Levels,19,Strategic Plan Elements,Introduction by senior executive Executive Summary Mission Statement and Vision Statement Organizational Profile and History Strategic Issues and Core
12、Values Program Goals and Objectives Management/Operations Goals and Objectives Appendices (optional) Strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets &etc,20,10 Tips For Strategic Planning,Create a compelling vision statement Embrace the use of balanced scorecard ap
13、proach Deploy a draft high level plan early, and get input from stakeholders Make the evolving plan visible,21,10 Tips For Planning (cont.),5. Make the process invigorating for everyone 6. Be persistent 7. Make the process continuous 8. Provide meaning 9. Be yourself 10. Have fun,22,Planning For Inf
14、oSec Implementation,Commonly the CISO directly reports to the CIO. The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans CISO plays a more active role planning the details,23,CISO Job Description,Creates strategic inf
15、ormation security plan with a vision for the future of information security Understands fundamental business activities performed by the company Suggests appropriate information security solutions that uniquely protect these activities Improves status of information security by developing action pla
16、ns schedules budgets status reports top management communications,24,Planning for Information Security,CIO: translates strategic plan into departmental and InfoSec objectives CISO: translates InfoSec objectives into tactical and operational objectives Implementation can now begin Implementation of i
17、nformation security can be accomplished in two ways Bottom-up Top-down,25,Bottom-Up Approach,Grass-roots effort Individual administrators try to improve security No coordinated planning from upper management No coordination between departments Unpredictable funding,26,Top-Down Approach,Strong upper
18、management support A dedicated champion Assured funding Clear planning and implementation process Ability to influence organizational culture,27,Approaches to Security Implementation,28,Joint Application Development,Outcome of the objective directly affects the end users Key end users assigned to de
19、velopment teams Processes documented and integrated into organizational culture Ensures continuation of Application Seldom found in bottom-up initiatives,29,The Systems Development Life Cycle (SDLC),Methodology for the design and implementation of an information system SDLC-based projects may be ini
20、tiated by events or planned Each phase concludes with a review or a feasibility analysis,30,Phases of an SecSDLC,31,Investigation Phase for SecSDLC,Identifies problem to be solved Begins with the objectives, constraints, and scope of the project A preliminary cost/benefit analysis is then developed
21、Ends with a feasibility analysis,32,Feasibility,33,SDLC vs. SecSDLC: Investigation,Common steps Outline project scope/goals Estimate costs Evaluate existing resources Analyze feasibility,Steps unique to SecSDLC Define project process and goals and document them in the program security policy,34,Anal
22、ysis in the SecSDLC,35,Analysis in SecSDLC,A preliminary analysis of Existing security polices Current threats and attacks Legal issues Risk management Process of identifying, assessing & evaluation of levels of risks facing the organization,36,Threats,Know your enemy: Its the first step in mounting
23、 an effective defense Enemy = ThreatsThreat is an object, person or other entities that represents constant danger to information asset Well-understood and well-researched Grouped by activities,37,Threats,38,Attacks,Attack is an event that exploits the vulnerability Attack is accomplished by threat
24、agent A vulnerability is an identified weakness of controlled information asset An exploit is a technique use to compromise an information asset,39,Types of attacks,Back doors Brute force Dictionary Man-in-middle Password crack Social engineering Spear phishing Phishing,40,Types of attacks (cont.),B
25、uffer overflow DoS & DDoS Hoaxes Mail bombing Spam Malicious code DNS Cache poisoning,Sniffers Spoofing Timing,41,Risk Analysis,Asset valuation Identify the categories to assign to each asset Most critical to the success of the organization The most revenue The highest profitability The most expensi
26、ve to replace The most expensive to protect Liability of organization if revealed,42,Risk Analysis (cont.),Categories must be comprehensive and mutually exclusive Rank the components based on criteria of categorization of assets Review each information assets for each threats it faces Create a list
27、of vulnerabilities Assign a rank for comparative risk to each information asset,43,SDLC vs. SecSDLC : Analysis,Common steps Assess current system against plan developed in phase 1 Develop system requirements Study integration of new system Update feasibility analysis,Steps unique to SecSDLC Analyze
28、existing security policies and programs Analyze current threats and attacks Examine legal issues Risk analysis,44,Design in SecSDLC,45,Design in SecSDLC,Logical design phase Create and develop a security blueprint Implement key policies Feasibility analysis develop or outsource Physical design phase
29、 Evaluate technology to support security blueprint Generate alternative solutions Agree on final design,46,Security models,Security team often use established security models to adapt or adopt. Security models provide framework Addresses all areas of security Computer Security Resource Center of NIS
30、T Information Technology Code of Practice for Information Security Management- ISO/IEC 17799 International standard,47,Design elements,Information security policy Management must define General security policy Issue-specific security policy Systems-specific security policy,48,Design elements (cont.)
31、,SETA Security education, training and awareness program contains Security education Security training Security awareness Purpose Improving awareness Developing skills & knowledge Building in-depth knowledge,49,Design elements (cont.),Controls and Safeguards Managerial controls Operational controls
32、Technical controls,50,Managerial Control,Address the design, scope and implementation of the security planning process & security program Addresses risk management and security control overview Addresses scope of legal compliance,51,Operational Controls,Manages functions and lower-level planning Dis
33、aster recovery Incident response planning Personal security Physical security Protection of production inputs and output,52,Technical controls,Addresses tactical issues & technical issues related to design and implementing security Reviews the technologies necessary to protect information assets,53,
34、Contingency planning,Contingency planning is planning to prepared for, react to, recover from event of security breach and restoration of normal business operations. Incident Response Planning (IRP) Disaster Recovery Planning (DSP) Business Continuity Planning (BCP),54,Physical security,Design, impl
35、ementation and maintenance of countermeasures that protect the physical resources of an organization Physical resources include People Hardware Supporting information system elements,55,SDLC vs. SecSDLC : Logical Design,Common steps Assess current business needs against developed plan Select applica
36、tion, data support and structures Generate multiple solutions Update feasibility analysis,Steps unique to SecSDLC Develop security blueprint Plan incident response action Plan business response to disaster Feasibility of continuing or outsourcing of project,56,SDLC vs. SecSDLC : Physical Design,Comm
37、on steps Select technologies to support solutions Select the best solutions Decide whether to make or buy components Update feasibility analysis,Steps unique to SecSDLC Select technologies needed to support security blueprint Develop definition of successful solution Design physical security measure
38、s to support technological solutions Approve the project,57,Management of Information Security, 2nd ed. - Chapter 2,Slide 57,Implementation in SecSDLC,Acquire, test, implement, and retest security solutions Evaluate personnel issues and conduct specific training and education programs Present tested
39、 package to management for approval,58,Management of the Project Plan,Planning the project Supervising tasks and action steps within the project plan Wrapping up the plan,Management of Information Security, 2nd ed. - Chapter 2,Slide 58,59,Project Team,Should consist of individuals experienced in one
40、 or multiple technical and non-technical areas including Champion Team leader Security policy developers Risk assessment specialists Security professionals Security professionals System administrators End users,Management of Information Security, 2nd ed. - Chapter 2,Slide 59,60,Staffing the Informat
41、ion Security Function,Organizations should examine the options for staffing the information security function Decide how to position and name the function Plan for proper staffing of the function Understand impact of information security across every role in IT Integrate information security concept
42、s into personnel management,Management of Information Security, 2nd ed. - Chapter 2,Slide 60,61,Professional Security Certifications,Professional security certifications that can help organizations more easily identify the proficiency of applicants CISSP & SSCP GIAC, GSE, GISO MCSE CNE SCNP and SCNA
43、 Security+ CISM & CISA,Management of Information Security, 2nd ed. - Chapter 12,Slide 61,62,SDLC vs. SecSDLC : Implementation,Common steps Develop or buy software Order components Document system Train users Update feasibility analysis Present to users Test system and review performance,Steps unique
44、 to SecSDLC Buy or develop security solutions Present tested package to management for approval,63,Maintenance in the SecSDLC,Maintenance models focus organization effort on system maintenance External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediati
45、on Readiness and review,Management of Information Security, 2nd ed. - Chapter 1,Slide 63,64,Management of Information Security, 2nd ed. - Chapter 2,Slide 64,65,Management of Information Security, 2nd ed. - Chapter 2,Slide 65,ISO Management Model,SecSDLC includes selecting a systems management model
46、ISO management model focus areas Fault management Configuration and change management Accounting and auditing management Performance management Security program management,66,Security Management Model,Fault Management: Identify and address faults Configuration and Change Management: Administration a
47、nd change of the security program Accounting and Auditing Management: Chargeback accounting and systems monitoring Performance Management: Monitor system performance for intended use Security Program Management: Operation and management of the security program,Management of Information Security, 2nd
48、 ed. - Chapter 2,Slide 66,67,SDLC vs. SecSDLC : Maintenance,Common steps Support and modify system for its useful life Test periodically for compliance with business needs Upgrade and patch,Steps unique to SecSDLC Constantly monitor, test, modify, update and repair to respond to changing threats,68,Conclusions,Roles and responsibilities of the security planning process Security System Development Life Cycle phases,69,Questions?,