C.2 Security Management Areas of Responsibility 299
Appendix C
activities with the federal government, including vulnerability assessments,
strategic planning efforts, and exercises.
C.2 Security Management Areas of Responsibility
This section covers the basic areas that should be addressed as part of any
security plan for any organization. It does not go into details about how to
configure equipment, develop scripts, or so on; it is strictly a management
perspective of the “coverage areas” that need to be addressed to ensure ade-
quate organizational protections are in place. These areas are generally
implemented by establishing policy. Consider these areas the basic require-
ments; policy is used to implement the requirements, and the security team
is there to enforce the requirements and adjust as needed to ensure currency
with changing business conditions.
When putting together a Site Security Plan, it is important to build a
strategy that satisfies the needs of the organization. To accomplish this, of
course, you must first determine what the organizations needs are by con-
ducting a needs assessment. The results of this assessment will aid in defin-
ing the security program appropriate for your organization. Review the
program with senior staff to ensure you have their buy-in on implementing
the programs, and set up a process to periodically review these programs to
ensure they meet the business needs. The next step is to develop an aware-
ness and training plan, identify the various audiences (or constituencies, as
some prefer to call them) and begin training. Lets discuss this program in a
bit more detail.
C.2.1 Awareness Programs
Successful computer security programs are highly dependent on the effec-
tiveness of an organizations security awareness and training program. If
employees are not informed of applicable organizational policies and proce-
dures, they cannot be expected to properly secure computer resources. The
dissemination and enforcement of the security policy is a critical issue that
can be addressed through local security awareness and training programs.
Employees cannot be expected to follow policies and procedures of which
they are unaware. In addition, enforcing penalties may be difficult if users
can claim ignorance when caught doing something wrong. Training
employees can also show that a standard of due care has been taken in pro-
tecting information. Simply issuing policy without follow-through to
implement that policy is not enough to get the job done. Many organiza-
tions use acknowledgment statements to verify that employees have read
300 C.2 Security Management Areas of Responsibility
and understand computer security requirements. New hires are an espe-
cially important audience for security awareness training. It is critical that
any new employee receive training on the security policies in place at an
organization within the first week or two of employment.
Many employees regard computer security as an obstacle to their job
productivity. To help motivate employees to be security-aware, emphasize
the ways that security can contribute to productivity. The consequences of
poor security should be explained without using the fear and intimidation
tactics employees often associate with security. Awareness helps to reinforce
the fact that security supports the mission of the organization by protecting
valuable resources. If employees view security measures as bothersome rules
and procedures, they are likely to ignore them. Managers are responsible for
ensuring that their personnel are briefed and understand the role they play
in supporting security efforts. By informing all personnel of the statutes and
policies surrounding IT security, and by conducting periodic security
awareness briefings, managers can accomplish this task.
Security training is most effective when targeted to a specific audience.
This enables the training to focus on the security-related job skills and
knowledge that people need to perform their duties. Divide the audiences
into groups according to their level of security awareness. This may require
research to determine how well employees follow computer security proce-
dures or understand how computer security fits into their jobs. Training
groups can be segmented according to general job task or function, specific
job category, or level of competence and understanding of general com-
puter knowledge.
C.2.2 Risk Analysis
A prime consideration for creating a computer security policy is to ensure
that the effort spent on developing and implementing the security policy
will yield cost-effective benefits. It is important for a security manager to
understand where the most obvious “quick wins” in security will be found.
While there is a great deal of information in the press about intruders hack-
ing into computers systems, most security surveys reveal the actual loss
from “insiders” is a far greater risk. Risk analysis involves determining what
you need to protect, what you need to protect it from, and how you need to
protect it. Risk analysis is the process of examining all of the potential risks
you may face, then rank ordering those risks by level of severity. This pro-
cess will involve choosing cost-effective solutions, based on what you want
to protect and how it is to be protected. It is important to balance the value
of the asset that needs protection against the cost of providing that protec-
C.2 Security Management Areas of Responsibility 301
Appendix C
tion. For example, if you spend $500,000.00 to protect reproducible code
assets that originally only cost $180,000.00, it is not likely a sound security
investment. Always consider the cost versus worth scenario when selecting
your security solutions. Much more on this topic is presented in Chapter 2.
C.2.2.1 Identify Assets
For each asset, the basic goals of security are availability, confidentiality,
and integrity. A risk analysis process requires the identification of all assets
that need to be protected. Try to determine what potential threats exist for
each particular asset. A list of asset categories suggested by Pfleeger [1]
includes the following:
Hardware: Keyboards, monitors, laptops, personal computers, print-
ers, disk drives, communication lines, terminal servers, routers
Software: source programs, object programs, utilities, diagnostic pro-
grams, operating systems, communication programs
Data: used during execution, stored online, archived offline, back-
ups, audit logs, databases, in transit over communication media
People: users, administrators, hardware maintainers
Documentation: on programs, hardware, systems, local administra-
tive procedures
Supplies: paper, forms, paperclips, ink cartridges, ribbons, magnetic
media
C.2.2.2 Identifying the Threats
Once the assets have been identified, it is necessary to determine the poten-
tial threats to those assets. Threats can then be examined to determine a loss
potential. Loss potential helps to rank the asset and threat against other
items in your list. The following are classic threats that should be consid-
ered: unauthorized access, unintended disclosure of information, and denial
of service. Depending on your organization, there will be more specific
threats that should be identified and addressed.
C.2.3 Incident Handling
In this section, we discuss the process of establishing the incident han-
dling function in an organization. There are several key issues a security
302 C.2 Security Management Areas of Responsibility
manager must consider when establishing an Incident Response Group.
What are the goals the group needs to accomplish? What should this team
be relied upon to do in a consistent and professional manner? Who are
they providing this service to (i.e., what is the incident handling groups
constituency)? It is important to understand the constituency, because
what is provided for one audience may be inadequate for another. For
example, if your constituency is a distributed data center operation, their
incident response needs will be quite different from those of a retail Web
site selling T-shirts and such.
Once the constituency is known, the next step is to begin determining
what the structure of the incident response group will look like. Should it
be a centralized organization or a decentralized, distributed organization?
This decision greatly effects the staffing and funding requirements. Once
you have determined the structure best suited to the needs of a constitu-
ency, your organizations management team must support the decision and
agree to the funding requirements.
As you begin to set up the operation, set up a centralized mechanism for
the constituency to report incidents or potential incidents. A team must be
assembled to respond to those incidents, and the team should operate from
a high-level “guidebook” or charter. Creating a charter for the team will get
everyone on the team working towards achieving the same goals. How they
go about achieving those goals is defined by process and procedures, usually
put in place by creating an Incident Response Group Operations Hand-
book. This handbook is considered the starting point for handling all inci-
dents, and the team members must be instructed to update it, making it a
living document as environmental conditions change. Finally, when an
incident is reported, investigated, and resolved, there should be a manage-
ment reporting function in place to let management understand what hap-
pened and the impact the event had on the organization.
C.2.4 Alerts and Advisories
Alerts and advisories that detail newly discovered vulnerabilities and other
security information are released almost daily. This information may
require immediate action on the part of the system administrators, the inci-
dent response group, or the users. Advisories come from a variety of
sources, such as vendors and product manufacturers. There are also places
like the CERT
® Coordination Center (CERT®/CC) and the Federal
Computer Incident Response Capability (FEDCIRC), now both a part of
the new National Strategy to Protect Infrastructure. To help develop ways of
better protecting our critical infrastructures, and to help minimize vulnera-
C.2 Security Management Areas of Responsibility 303
Appendix C
bilities, the U.S. Department of Homeland Security has established Infor-
mation Sharing and Analysis Centers, or ISACs, to allow critical sectors to
share information and work together to help better protect the economy.
The IT-ISAC is a forum for sharing information about network vulnerabil-
ities and effective solutions [2]. It is also a forum for sharing threat-related
information and ways to protect against those threats. The Operations Cen-
ter is intended to help achieve a higher level of critical infrastructure protec-
tion through the sharing of key security solutions. Regardless of which
source agency sends out an advisory, upon receipt of any alerts and adviso-
ries requiring action, ensure compliance with the required action. If com-
pliance cannot occur for any reason, obtain a statement of waiver with
reasons the actions cannot be implemented. Ensure that any compliance or
waiver actions needed are reported to the CSO or information security
manager for briefing to other senior management.
C.2.5 Warning Banners
It is good security practice for all systems to display warning banners upon
connection to a given system. These banners should display a warning that
informs the user logging in that the system is for legitimate use only, is sub-
ject to monitoring, and carries no expectation of privacy. The use of warn-
ing banners provides legal notice to anyone accessing the system that they
are using a system that is subject to monitoring. Users should also be noti-
fied of the possible sanctions, such as loss of privileges, employment, or
even prosecution, if they misuse or access the network without authoriza-
tion. System administrators can install the banners quite easily, and the
information contained in the banners should be approved by the organiza-
tions legal staff. A sample of banner wording is as follows:
This is a proprietary computer system that is “FOR
INTERNAL USE ONLY.” This system is subject to
monitoring. Therefore, no expectation of privacy is to
be assumed. Individuals found performing unauthorized
activities are subject to disciplinary action,
including criminal prosecution.
C.2.6 Employee Termination Procedures
Unfortunately, employee termination often leads to a security incident.
This sad fact of life must be dealt with by businesses every day. Security
teams have routinely become involved in termination processing to ensure
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.95.38