6.6. Summary

In this chapter, I covered the key elements of physical security, social engineering, and the environment. This chapter also showed you how business continuity, information security, and access models work.

Physical security measures include access controls, physical barriers, and environmental systems. Environmental considerations include electrical, fire-suppression, and interference issues.

Wireless cell technology is growing at a rapid rate worldwide. The newest technology (GSM) allows interchangeable modules called SIMs to be used for international access. United States and European standards aren't interchangeable at this time. Many cell phone manufacturers are building cell phones that can operate in either environment equally well.

Security models must be concerned with physical security, security zones, partitioning, and the communications infrastructure. You should take a multilayered approach when you implement a security model.

Business continuity planning is the process of making decisions about how losses, outages, and failures are handled within an organization. The following are key aspects of BCP:

• Business impact analysis (BIA)

• Risk assessment

BIA includes evaluating the critical functions of the organization. This information is used to make informed decisions about how to deal with outages should they occur. Risk assessment is the process of evaluating and cataloging the threats, vulnerabilities, and weaknesses that exist in the systems being used. The risk assessment should tie in with BCP to ensure that all bases are covered.

Security models begin with an understanding of the business issues an organization is facing. The following business issues must be evaluated:

• Policies

• Standards

• Guidelines

A good policy design includes scope statements, overview statements, accountability expectations, and exceptions. Each of these aspects of a well-crafted policy helps set the expectation for everyone in a company. For a policy to be effective, it needs the unequivocal support of the senior management or decision makers in an organization.

A number of standards are being developed to implement security standards in organizations. One of the newest standards gaining support worldwide is ISO 17799; this standard identifies the 11 key areas that a security policy or model must include. Certification using this standard is obtained through an auditing function performed by an outside party or accrediting agency.

Information classification is the process of determining what information is accessible to what parties and for what purposes. Classifications in industry are usually based on cataloging information as public or private. Public information can be classified as either limited distribution or full distribution. Private information is usually classified for internal use or restricted.

The primary roles in a security process include owner, custodian, and user. The owner of the data is responsible for determining access rights and uses. The custodian is responsible for maintaining and protecting data. The user is the person using the data to accomplish work.

Support roles in information classification include the security professional and the auditor. A security professional is a person who has access to the information and processes to ensure protection. An auditor is primarily concerned that processes and procedures are followed to protect information.

Access control models exist to categorize the usage of sensitive information. Three of the more common models are the Bell La-Padula model, the Biba model, and the Clark-Wilson model. Less common models include the Information Flow and Noninterference models.

The Bell La-Padula model works on the philosophy that you can't read up beyond your level of classification or write down to a lower classification. This model is primarily concerned with information security.

The Biba model is designed to prevent a user from writing up or reading down. This means that a user can't write information up to a higher level or read information down at a lower level than they're authorized to access. The Biba model is designed to provide data integrity as opposed to information security.

The Clark-Wilson model requires that all data access occur through controlled access programs. The programs dictate what information can be used and how it can be accessed. This is a common model in software development systems.

The Information Flow model is concerned with the properties of information flow, not only the direction of the flow. This model is concerned with all information flow, not just up or down. It requires that each piece of information have unique properties, including operation capabilities.

The Noninterference model is intended to ensure that higher-level security functions don't interfere with lower-level functions. In essence, if a higher-level user were changing information, the lower-level user wouldn't know or be affected by the changes. This approach prevents the lower-level user from being able to deduce what changes are being made to the system.