Chapter 3. Information Security Framework
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Recognize the importance of the CIA security model.
Describe the security objectives of confidentiality, integrity, and availability.
Discuss why organizations choose to adopt a security framework.
Recognize the value of NIST resources.
Understand the intent of the ISO/IEC 27000-series of information security standards.
Outline the domains of an information security program.
Our focus in this chapter on information security objectives and framework will answer the following (and many other) questions associated with the need to maintain secure communications among and between government, public, and private sectors. In context, our efforts to sustain reliable and secure communications has become a worldwide global effort with cybersecurity.
What are we trying to achieve in pursuit of information security?
What is the ultimate goal of writing information security policies?
What tangible benefit will come to our customers, our employees, our partners, and our organizations from our Herculean effort?
A framework lends itself to many easily related metaphors. The most obvious is that of any building: no foundation, no building. More specifically, the better the framing of any building, the longer it will last, the more it can hold, and the more functional it becomes. Of course, with any building there must first be a plan. We hire architects and engineers to design our buildings, to think about what is possible, and relay the best way to achieve those possibilities.
In the same way, we need a framework for our information security program. Much like the many rooms in a building, each with its own functions, we segment our information security program into logical and tangible units called domains. Security domains are associated with designated groupings of related activities, systems, or resources. For example, the Human Resources Security Management domain includes topics related to personnel, such as background checks, confidentiality agreements, and employee training. Without the framework, every new situation will see us repeating, redesigning, and reacting, which all together can be referred to as “unplanned,” or spending time in crisis. Fortunately, in the information security arena there is absolutely no reason to choose crisis over preparedness. Strategies involving proactive, rather than reactive, procedures have become the ad hoc standard for systems of cybersecurity governance. A number of public and private organizations, including the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST), have all invested considerable time and energy to develop structures that we can draw upon.
In this chapter, you are going to be introduced to both. Before we begin building our information security program and policies, we need to first identify what we are trying to achieve and why. We will begin this chapter by discussing the three basic tenants of information security. We will then look at the escalating global threat, including who is behind the attacks, their motivation, and how they attack. We will apply this knowledge to building the framework of our information security program and how we write our policies.
CIA
CIA. It is easy to guess that the first thing that popped into your mind when you read those three letters was the Central Intelligence Agency. In the information security world, these three letters represent something we strive to attain rather than an agency of the United States government. Confidentiality, integrity, and availability (CIA) are the unifying attributes of an information security program. Collectively referred to as the CIA triad or CIA security model, each attribute represents a fundamental objective of information security. The Federal Information Security Management Act (FISMA) defines the relationship between information security and the CIA triad as follows:
(1) The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation, accuracy, and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
(C) availability, which means ensuring timely and reliable access to and use of information.
You may be wondering which is most important: confidentiality, integrity, or availability? The answer requires an organization to assess its mission, evaluate its services, and consider regulations and contractual agreements. As Figure 3.1 illustrates, organizations may consider all three components of the CIA triad equally important, in which case resources must be allocated proportionately.
What Is Confidentiality?
When you tell a friend something “in confidence,” you expect them to keep the information private and to not share what you told them with anyone else without your permission. You also hope that they will never use this against you. Likewise, confidentiality is the requirement that private or confidential information not be disclosed to unauthorized individuals.
The information exchanged between doctors and patients or lawyers and clients is protected by confidentiality laws called the “doctor-patient privilege” and the “attorney-client privilege,” respectively. We place a very high value on this quality in people and express it in many ways, referring to those who keep our confidences as trustworthy, dependable, or loyal. The confidentiality of information is certainly not a new idea, so what is all the fuss about?
Not only has the amount of information stored, processed, and transmitted on privately owned networks and the public Internet increased dramatically, so has the number of ways to potentially access the data. The Internet, its inherent weaknesses, and those willing (and able) to exploit vulnerabilities are the main reasons why protecting confidentiality has taken on a new urgency. The technology and accessibility we take for granted would have been considered magic just ten years ago. The amazing speed at which we arrived here is also the reason we have such a gap in security. The race to market often means that security is sacrificed. So although it may seem to some that information security requirements are a bit extreme at times, it is really a reaction to the threat environment.
As it pertains to information security, confidentiality is the protection of information from unauthorized people and processes. Federal Code 44 U.S.C., Sec. 3542 defines confidentiality as “preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.”
None of us likes the thought of our private health information or financial information falling into some stranger’s hands. No business owner likes the thought of her proprietary business information being disclosed to competitors. Information is valuable. Social security numbers are used for identity theft. Bank account credentials are used to steal money. Medical insurance information can be used to fraudulently obtain services or to make counterfeit claims. Military secrets can be used to build weaponry, track troop movements, or expose counterintelligence agents. The list goes on and on.
Cybercrime is a relatively easy, low-risk, high-reward venture. There is plenty of money to be made. The chances of being caught are slim. The tools are readily available. Criminals look for and are prepared to exploit weaknesses in network designs, software, communication channels, and people. The opportunities are plentiful. Criminals are not always outsiders. Insiders can be tempted to “make copies” of information they have access to for financial gain, notoriety, or to “make a statement.” The most recent threat to confidentiality is hacktivism, which is a combination of the terms “hack” and “activism.” Hacktivism has been described as the fusion of hacking and activism, politics and technology. Hackitivist groups or collectives expose or hold hostage illegally obtained information to make a political statement or for revenge.
The ability to obtain unauthorized access is often opportunistic. In this context, opportunistic means taking advantage of identified weaknesses. Criminals (and nosy employees) care about the work factor, which is defined as how much effort is needed to complete a task. The longer it takes to obtain unauthorized access, the greater the chance of being caught. The more a “job” costs to successfully complete, the less profit earned. The information security goal of confidentiality is to protect information from unauthorized access and misuse. The best way to do this is to implement safeguards and processes that increase the work factor and the chance of being caught. This calls for a spectrum of access controls and protections as well as ongoing monitoring, testing, and training.
What Is Integrity?
Whenever the word integrity comes to mind, so does Brian De Palma’s classic 1987 film The Untouchables, starring Kevin Costner and Sean Connery. The film is about a group of police officers who could not be “bought off” by organized crime. They were incorruptible. Integrity is certainly one of the highest ideals of personal character. When we say someone has integrity, we mean she lives her life according to a code of ethics; she can be trusted to behave in certain ways in certain situations. It is interesting to note that those to whom we ascribe the quality of integrity can be trusted with our confidential information. As for information security, integrity has a very similar meaning. Integrity is the protection of information, processes, or systems from intentional or accidental unauthorized modification. In the same way we count on people of integrity to behave a certain way, we rely on our information to be a certain way.
Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. In other words, is the information the same as it was intended to be? For example, if you save a file with important information that must be relayed to members of your organization, but someone opens the file and changes some or all of the information, the file has lost its integrity. The consequences could be anything from coworkers missing a meeting you planned for a specific date and time, to 50,000 machine parts being produced with the wrong dimensions.
System integrity is a requirement that a system “performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.” A computer virus that corrupts some of the system files required to “boot” the computer is an example of deliberate unauthorized manipulation.
Errors and omissions are an important threat to data and system integrity. These errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all types of users who create and edit data and code. Even the most sophisticated programs cannot detect all types of input errors or omissions. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors create vulnerabilities. Programming and development errors, often called “bugs,” can range in severity from benign to catastrophic.
To make this a bit more personal, let’s talk about medical and financial information. What if you are injured, unconscious, and taken to the emergency room of a hospital, and the doctors need to look up your health information. You would want it to be correct, wouldn’t you? Consider what might happen if you had an allergy to some very common treatment and this critical information had been deleted from your medical records. Or think of your dismay if you check your bank balance after making a deposit and find that the funds have not been credited to your account!
Integrity and confidentiality are interrelated. If a user password is disclosed to the wrong person, that person could in turn manipulate, delete, or destroy data after gaining access to the system with the password he obtained. Many of the same vulnerabilities that threaten integrity also threaten confidentiality. Most notable, though, is human error. Safeguards that protect against the loss of integrity include access controls such as encryption and digital signatures, process controls such as code testing, monitoring controls such as file integrity monitoring and log analysis, and behavioral controls such as separation of duties, rotation of duties, and training.
What Is Availability?
The final component of the CIA triad is also most often left out of consideration when one thinks about security. But, what does it mean to be secure? Would you feel secure if your car failed to start? Would you feel secure if you were very sick and your doctor could not be found? Whether or not systems and data are available for use is just as crucial as the confidentiality and integrity of the data itself. Availability is the assurance that systems and data are accessible by authorized users when needed. If we can’t access the data we need, when we need it, we are not secure.
We must broaden our understanding of what information security means in several ways. For one (which was demonstrated earlier), information security is not just about computers—it is about information. For another, security does not pertain only to crime, malicious acts, or those who perpetrate them. It also pertains to feeling secure that the information can be used when needed, in the way needed.
In fact, availability is generally one of the first security issues addressed by Internet service providers (ISPs). You may have heard the expressions “uptime” and “5-9s” (99.999% uptime). This means the systems that serve Internet connections, web pages, and other such services will be available to users who need them when they need them. The service level agreement (SLA) is a type of agreement between a service provider and a customer that specifically addresses availability of services.
Just like confidentiality and integrity, we prize availability. We want our friends and family to “be there when we need them,” we want food and drink available, we want our money available, and so forth. In some cases, our lives depend on the availability of these things, including information. Ask yourself how you would feel if you needed immediate medical care and your physician could not access your medical records.
Threats to availability include loss of processing ability due to natural disasters; hardware failures; programming errors; human error; injury, sickness, or death of key personnel; distributed denial of service (DDoS) attacks; and malicious code. We are more vulnerable to availability threats than to the other components of the CIA triad. We are certain to face some of them. Safeguards that address availability include access controls, monitoring, data redundancy, resilient systems, virtualization, server clustering, environmental controls, continuity of operations planning, and incident response preparedness.
As illustrated in Figure 3.2, a DDoS attack is one in which a multitude of compromised systems attack a single target. The flood of incoming requests to the target system essentially forces it to shut down, thereby denying service to legitimate users. There are multiple victims in a DDoS attack: the owners of the targeted systems, the users of the targeted system, and the owners of the compromised computers. A computer used in the attack is known as a bot. A group of co-opted computers is known as a botnet. Although the owners of co-opted computers are typically unaware that their computers have been compromised, they are nevertheless likely to suffer degradation of service and malfunction.
Who Is Responsible for CIA?
It is the information owners’ responsibility to ensure confidentiality, integrity, and availability. What does it mean to be an information owner? Under the FISMA Act of 2002, an information owner is an official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which may extend to interconnected systems or groups of interconnected systems. More simply, an information owner has the authority and responsibility for ensuring that information is protected, from creation through destruction. For example, a bank’s senior loan officer might be the owner of information pertaining to customer loans. The senior loan officer has the responsibility to decide who has access to customer loan information, the policies for using this information, and the controls to be established to protect this information.
Information technology (IT) or information systems (IS) departments are widely perceived as owning the information and information systems. Perhaps this is due to the word “information” being part of the department title. For the record, with the exception of information specific to their department, IT and IS departments should not be considered information owners. Rather, they are the people charged with maintaining the systems that store, process, and transmit the information. They are known as information custodians—those responsible for implementing, maintaining, and monitoring safeguards and systems. They are better known as system administrators, webmasters, and network engineers. We will be taking a closer look at each of these roles in the next chapter.
Information Security Framework
The best security minds in the world have contributed to researching, evaluating, and publishing security frameworks. Security framework is a collective term given to guidance on topics related to information systems security, predominantly regarding the planning, implementing, managing, and auditing of overall information security practices. Two of the most widely used frameworks are the Information Technology and Security Framework created by the United States NIST and the Information Security Management System offered by the ISO. NIST offers well-documented procedures and programs to support secure information systems, whereas the ISO offers a certifiable method for integrating information security into the management process. When these frameworks are used in concert, an organization can create a comprehensive information security program.
What Is NIST’s Function?
Founded in 1901, the NIST is a nonregulatory federal agency within the U.S. Commerce Department’s Technology Administration. NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve quality of life. The Computer Security Division (CSD) is one of eight divisions within NIST’s Information Technology Laboratory. The mission of NIST’s CSD is to improve information systems security as follows:
By raising awareness of IT risks, vulnerabilities, and protection requirements, particularly for new and emerging technologies.
By researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive federal systems.
By developing standards, metrics, tests, and validation programs
to promote, measure, and validate security in systems and services, and
to educate consumers and to establish minimum security requirements for federal systems.
By developing guidance to increase secure IT planning, implementation, management, and operation.
The 2002 E-Government Act [Public Law 107-347] assigned the NIST the mission of developing an Information Assurance Framework (standards and guidelines) designed for federal information systems that are not designated as national security systems. The NIST Information Assurance Framework includes the Federal Information Processing Standards (FIPS) and Special Publications (SP). Although developed for government use, the framework is applicable to the private sector and addresses the management, operational, and technical aspects of protecting the CIA of information and information systems.
NIST defines information security as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA. Currently, there are more than 300 NIST information security–related documents. This number includes FIPS, the SP 800 series, information, Information Technology Laboratory (ITL) bulletins, and NIST interagency reports (NIST IR):
Federal Information Processing Standards (FIPS)—This is the official publication series for standards and guidelines adopted and promulgated under the provisions of the FISMA Act of 2002.
Special Publication (SP) 800 series—This series reports on ITL research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organizations.
ITL bulletins—Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are issued on an as-needed basis.
From access controls to wireless security, the NIST publications are truly a treasure trove of valuable and practical guidance.
What Does the ISO Do?
The ISO is a network of the national standards institutes of 146 countries. Each member country is allowed one delegate, and a Central Secretariat in Geneva, Switzerland coordinates the system. In 1946, delegates from 25 countries met in London and decided to create a new international organization, of which the objective would be “to facilitate the international coordination and unification of industrial standards.” The new organization, ISO, officially began operations on February 23, 1947.
ISO is a nongovernmental organization: Unlike the United Nations, its members are not delegations of national governments. Nevertheless, ISO occupies a special position between the public and private sectors. This is because, on the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations. ISO has developed more than 13,000 International Standards on a variety of subjects, ranging from country codes to passenger safety.
The ISO/IEC 27000 series (also known as the ISMS Family of Standards, or ISO27k for short) comprises information security standards published jointly by the ISO and the International Electrotechnical Commission (IEC).
The first six documents in the ISO/IEC 27000 series provide recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.” In all, there are 22 documents in the series, and several more are still under development.
ISO 27001 is the specification for an Information Security Management System (ISMS).
ISO 27002 describes the Code of Practice for information security management.
ISO 27003 provides details implementation guidance.
ISO 27004 outlines how an organization can monitor and measure security using metrics.
ISO 27005 defines the high-level risk management approach recommended by ISO.
ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.
The framework is applicable to public and private organizations of all sizes. According to the ISO website, “the ISO standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.”
We are going to focus on the ISO 27002 Code of Practice. ISO 27002 has its origins in Great Britain. In 1989, the UK Department of Trade and Industry’s (DTI’s) Commercial Computer Security Centre (CCSC) developed the “Users Code of Practice,” designed to help computer users employ sound security practices and ensure the CIA of information systems. Further development came from the National Computing Centre (NCC), and later a group formed from British industry, to ensure that the Code was applicable and practical from a user’s point of view. The document was originally published as British Standards guidance document PD 0003: A Code of Practice for Information Security Management. After more input was received from private sector organizations, the document was reintroduced as British Standard BS7799:1995. After two revisions in 1997 and 1999, BS7799 was proposed as an ISO standard. Though the first revisions were defeated, it was eventually adopted by the ISO after an international ballot closed in August 2000 and published with minor amendments as ISO/IEC 17799:2000 on December 1, 2000. A new version, ISO 17799:2005, was published in 2005. In 2007, this version was renamed as 27002:2005 and incorporated into the 27000 series. The most significant difference between the 17799 series and the 27000 series is an optional certification process. Organizations ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide.
In October 2013, ISO 27002:2005 was replaced with ISO 27002:2013. Two categories were added: Cryptography and Supplier Relationships. The Operations and Communications domain was split into two separate categories. Most importantly, a decision was made to remove the risk assessment guidance because it was a subset of ISO 27005, which specifically addresses information security risk management, including risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring, and risk review. More information about the ISO can be found at www.iso.org.
Can the ISO Standards and NIST Publications Be Used to Build a Framework?
The ISO 27002:2013 Code of Practice is a comprehensive set of information security recommendations comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce as well as to be used by large, medium, and small organizations. The term organization is used throughout this standard to mean both commercial and nonprofit organizations such as public sector and government agencies. 27002:2013 does not mandate specific controls but leaves it to the organization to select and implement controls that suit them, using a risk-assessment process to identify the most appropriate controls for their specific requirements. The recommended practices are organized into the following “domains” or categories:
Information Security Policies
Organization of Information Security
Human Resources Security
Asset Management
Access Control
Cryptography
Physical and Environmental Security
Communications Security
Systems Acquisition, Development, and Maintenance
Supplier Relationships
Information Security Incident Management
Business Continuity Management
Compliance Management
We will be using both the ISO 27002:2013 Code of Practice and the NIST guidance as a framework for developing procedures and policies. Using this framework will allow us to organize our approach to developing policies; it provides a structure for development and a method of grouping similar policies. The first step is to become familiar with the goals and intent of each of the security domains (or categories). In subsequent chapters, we examine each domain in depth, evaluate security practices, and develop policy.
Information Security Policies (ISO 27002:2013 Section 5)
The Information Security Policies domain focuses on information security policy requirements and the need to align policy with organizational objectives. The domain stresses the importance of management participation and support. This domain is covered in Chapter 4, “Governance and Risk Management.”
The corresponding NIST Special Publications are as follows:
SP 800-12: An Introduction to Computer Security: The NIST Handbook
SP 800-100: Information Security Handbook: A Guide for Managers
Organization of Information Security (ISO 27002:2013 Section 6)
The Organization of Information Security domain focuses on establishing and supporting a management structure to implement and manage information security within, across, and outside the organization. Inward-facing governance concentrates on employee and stakeholder relationships. Outward-facing governance concentrates on third-party relationships. Third parties include vendors, trading partners, customers, and service providers. This domain is covered in Chapter 4.
The corresponding NIST Special Publications are as follows:
SP 800-12: An Introduction to Computer Security: The NIST Handbook
SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems
SP 800-100: Information Security Handbook: A Guide for Managers
Human Resources Security Management (ISO 27002:2013 Section 7)
The Human Resources Security Management domain focuses on integrating security into the employee lifecycle, agreements, and training. Human nature is to be trusting. This domain reminds us that there are both good and bad people and that we need to keep our eyes wide open. This domain is covered in Chapter 6, “Human Resources Security.”
The corresponding NIST Special Publications are as follows:
SP 800-12: An Introduction to Computer Security—The NIST Handbook
SP 800-16: Information Technology Security Training Requirements: A Role- and Performance-Based Model
SP 800-50: Building an Information Technology Security Awareness and Training Program
SP 800-100: Information Security Handbook: A Guide for Managers
Asset Management (ISO 27002:2013 Section 8)
The Asset Management domain focuses on developing classification schema, assigning classification levels, and maintaining accurate inventories of data and devices. The importance of documented handling standards to protect information is stressed. This domain is covered in Chapter 5, “Asset Management.”
The corresponding NIST Special Publications are as follows:
SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories (two volumes)
SP 800-88: Guidelines for Media Sanitization
Access Control (ISO 27002:2013 Section 9)
The Access Control domain focuses on managing authorized access and preventing unauthorized access to information systems. This domain extends to remote locations, home offices, and mobile access. This domain is covered in Chapter 9, “Access Control Management.”
The corresponding NIST Special Publications are as follows:
SP 800-41, R1: Guidelines on Firewalls and Firewall Policy
SP 800-46, R1: Guide to Enterprise Telework and Remote Access Security
SP 800-63: Electronic Authentication Guidance
SP 800-77: Guide to IPsec VPNs
SP 800-113: Guide to SSL VPNs
SP 880-114: User’s Guide to Securing External Devices for Telework and Remote Access
SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs)
Cryptography (ISO 27002:2013 Section 10)
The Cryptography domain was added in the 2013 update. The domain focuses on proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information. Special attention is paid to key management. This domain is included in Chapter 10, “Information Systems Acquisition, Development, and Maintenance.”
The corresponding NIST Special Publications are as follows:
800-57: Recommendations for Key Management—Part 1: General (Revision 3)
800-57: Recommendations for Key Management—Part 2: Best Practices for Key Management Organization
800-57: Recommendations for Key Management—Part 3: Application-Specific Key Management Guidance
800-64: Security Considerations in the System Development Life Cycle
800-111: Guide to Storage Encryption Technologies for End User Devices
Physical and Environmental Security (ISO 27002:2013 Section 11)
The Physical and Environmental Security domain focuses on designing and maintaining a secure physical environment to prevent unauthorized access, damage, and interference to business premises. Special attention is paid to disposal and destruction. This domain is covered in Chapter 7, “Physical and Environmental Security.”
The corresponding NIST Special Publications are as follows:
SP 800-12: An Introduction to Computer Security—The NIST Handbook
SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems
SP 800-88: Guidelines for Media Sanitization
SP 800-100: Information Security Handbook: A Guide for Managers
Operations Security (ISO 27002:2013 Section 12)
The Operations Security domain focuses on data center operations, integrity of operations, vulnerability management, protection against data loss, and evidence-based logging. This domain is covered in Chapter 8, “Communications and Operations Security.”
The corresponding NIST Special Publications are as follows:
SP 800-40: Creating a Patch and Vulnerability Management Program
SP 800-42: Guideline on Network Security Testing
SP 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops
SP 800-92: Guide to Computer Security Log Management
SP 800-100: Information Security Handbook: A Guide for Managers
Communications Security (ISO 27002:2013 Section 13)
The Communications Security domain focuses on the protection of information in transit. The domain incorporates internal and external transmission as well as Internet-based communication. This domain is covered in Chapter 8.
The corresponding NIST Special Publications are as follows:
SP 800-45: Guidelines on Electronic Mail Security
SP 800-92: Guide to Computer Security Log Management
SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems
Information Systems Acquisition, Development, and Maintenance (ISO 27002:2013 Section 14)
The Information Systems Acquisition, Development, and Maintenance domain focuses on the security requirements of information systems, applications, and code from conception to destruction. This sequence is referred to as the systems development lifecycle. This domain is covered in Chapter 10.
Here’s the corresponding NIST Special Publication:
SP 800-23: Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
Supplier Relationships (ISO 27002:2013 Section 15)
The Supplier Relationship domain was added in the 2013 update. The domain focuses on service delivery, third-party security requirements, contractual obligations, and oversight. This domain is included in Chapter 8.
There is no corresponding NIST Special Publication.
Information Security Incident Management (ISO 27002:2013 Section 16)
The Information Security Incident Management domain focuses on a consistent and effective approach to the management of information security incidents, including detection, reporting, response, escalation, and forensic practices. This domain is covered in Chapter 11, “Information Security Incident Management.”
The corresponding NIST Special Publications are as follows:
SP 800-61: Computer Security Incident Handling Guide
SP 800-83: Guide to Malware Incident Prevention and Handling
SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
Business Continuity (ISO 27002:2013 Section 17)
The Business Continuity Management domain focuses on availability and the secure provision essential services during a disruption of normal operating conditions. ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain, and continually improve a business continuity management system (BCMS). This domain is covered in Chapter 12, “Business Continuity Management.”
The corresponding NIST Special Publications are as follows:
SP 800-34: Contingency Planning Guide for Information Technology System, Revision 1
SP 800-84: Guide to Test, Training and Exercise Programs for Information Technology Plans and Capabilities
Compliance Management (ISO 2700:2013 Section 18)
The Compliance Management domain focuses on conformance with internal policy; local, national, and international criminal and civil laws; regulatory or contractual obligations; intellectual property rights (IPR); and copyrights. This domain relates to Part III, “Regulatory Compliance” (Chapters 13, 14, and 15).
The corresponding NIST Special Publications are as follows:
SP 800-60: Guide for Mapping Types of Information and Information Systems to Security
SP Categories: Volume 1: Guide, Volume 2: Appendices
SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Too Many Domains?
As with policies, for an information security program to be effective, it must be meaningful and relevant as well as appropriate to the size and complexity of the organization. Not all organizations will need all the policies referenced in the ISO 27002 Code of Practice. The key is to understand what domains are applicable to a given environment and then develop, adopt, and implement the controls and polices that make sense for the organization. Remember, policies must support, not hinder, the mission and goals of an organization.
Section 4.1 of the 27002:2013 Code of Practice document informs us that the order of the domains does not imply their importance, nor are they listed in priority order. As such, this book takes the liberty of reordering the sections and, where applicable, combining domains. Starting with Chapter 4 and continuing through Chapter 12, we map the security objectives of each domain to realistic, relevant, and usable practices and policies. We define goals and objectives, explore in detail relevant security issues, and discuss the applicability of the standard.
NOTE
Within each chapter, you will find “In Practice” sidebars that contain relevant policy statements. Each policy statement is preceded by a synopsis. The synopsis is included only as explanatory text and would not normally be included in a policy document. At the end of the book, you will find a comprehensive information security policy document that includes all the policy statements as well as the supporting policy elements discussed in Chapter 2, “Policy Elements and Style.”
Summary
Ensuring confidentiality, integrity, and availability is the unifying principle of every information security program. Collectively referred to as the CIA triad or CIA security model, each attribute represents a fundamental objective and corresponding action related to the protection of information, processes, or systems. Confidentiality is protection from unauthorized access or disclosure. Integrity is protection from manipulation. Availability is protection from denial of service (DOS). In support of the CIA triad are the security principles known as the Five A’s: accountability, assurance, authentication, accounting, and authorization.
An information owner is one who has been assigned the authority and responsibility for ensuring that information and related systems are protected from creation through destruction. This includes making decisions on information classification, safeguards, and controls. Information custodians are those responsible for implementing, maintaining, and monitoring the safeguards based on decisions made by information owners. Cohesive decision making requires a framework.
A security framework is a collective term given to guidance on topics related to information systems security, predominantly regarding the planning, implementing, managing, and auditing of overall information security practices. The International Organization for Standardization (ISO) has published a technology-neutral Code of Standards for Information Security known as the ISO/IEC 27002:2013. This standard has been internationally adopted by both private and public organizations of all sizes. ISO 27002:2013 is divided into 14 domains. Each of these categories has a control objective, compliance requirements, and recommended policy components. The United States National Institute of Standards and Technology (NIST) has a number of Special Publications that complement the ISO Code of Practice. The publications provide in-depth research, recommendations, and guidance that can be applied to security domains and specific technologies. In this book, we use both to build our information security policy and program.
Test Your Skills
Multiple Choice Questions
1. Which of the following are the three principles in the CIA triad?
A. Confidence, integration, availability
B. Consistency, integrity, authentication
C. Confidentiality, integrity, availability
D. Confidentiality, integrity, awareness
2. Which of the following is an example of acting upon the goal of integrity?
A. Ensuing that only authorized users can access data
B. Ensuring that systems have 99.9% uptime
C. Ensuring that all modifications go through a change-control process
D. Ensuring that changes can be traced back to the editor
3. Which of the following is a control that relates to availability?
A. Disaster recovery site
B. Firewall
C. Training
D. Encryption
4. Which of the following is an objective of confidentiality?
A. Protection from unauthorized access
B. Protection from manipulation
C. Protection from denial of service
D. Protection from authorized access
5. As it pertains to information security, assurance is ____________________________.
A. the process of tracing actions to their source
B. the processes, policies, and controls used to develop confidence that security measures are working as intended
C. the positive identification of the person or system seeking access to secured information or systems
D. the logging of access and usage of information resources
6. Which of the following terms best describes the granting of users and systems a predetermined level of access to information resources?
A. Availability
B. Accountability
C. Assurance
D. Authorization
7. Which of the following statements identify threats to availability? (Select all that apply.)
A. Loss of processing capabilities due to natural disaster or human error
B. Loss of confidentiality due to unauthorized access
C. Loss of personnel due to accident
D. Loss of reputation from unauthorized event
8. Which of the following terms best describes the logging of access and usage of information resources?
A. Accountability
B. Acceptance
C. Accounting
D. Actuality
9. Which of the following combination of terms best describes the Five A’s of information security?
A. Awareness, acceptance, availability, accountability, authentication
B. Awareness, acceptance, authority, authentication, availability
C. Accountability, assurance, authorization, authentication, accounting
D. Acceptance, authentication, availability, assurance, accounting
10. An information owner is responsible for _____________________.
A. maintaining the systems that store, process, and transmit information
B. protecting the information and the business results derived from use of that information
C. protecting the people and processes used to access digital information
D. none of the above
11. Which of the following terms best describes ISO?
A. Internal Standards Organization
B. International Organization for Standardization
C. International Standards Organization
D. Internal Organization of Systemization
12. Which of the following statements best describes opportunistic crime?
A. Crime that is well-planned
B. Crime that is targeted
C. Crime that takes advantage of an identified weakness
D. Crime that is quick and easy
13. Which of the following terms best describes the motivation for hactivism?
A. Financial
B. Political
C. Personal
E. Fun
14. The greater the criminal work factor, the _____
A. more time it takes
B. more profitable the crime is
C. better chance of success
D. less chance of getting caught
15. Which of the following terms best describes an attack whose purpose is to make a machine or network resource unavailable for its intended use?
A. Man-in-the-middle
B. Data breach
C. Denial of service
D. SQL injection
16. Information custodians are responsible for _____
A. writing policy
B. classifying data
C. approving budgets
E. implementing safeguards
17. The National Institute of Standards and Technology (NIST) is a(n) ______
A. international organization
B. privately funded organization
C. U.S. government agency
D. European Union agency
18. The Internal Organization for Standardization (ISO) is _____
A. a nongovernmental organization
B. an international organization
C. headquartered in Geneva
D. all of the above
19. The current ISO family of standards that relates to information security is _______________.
A. BS 7799:1995
B. ISO 17799:2006
C. ISO/IEC 27000
D. None of the above
20. Which of the following terms best describes the security domain that relates to determining the appropriate safeguards as it relates to the likelihood of a threat to an organization?
A. Security policy
B. Access control
C. Compliance
D. Risk assessment
21. Which of the following terms best describes the security domain that relates to how data is classified and valued?
A. Security policy
B. Asset management
C. Compliance
D. Access control
22. Which of the following terms best describes the security domain that includes HVAC, fire suppression, and secure offices?
A. Operations
B. Communications
C. Risk assessment
D. Physical and environmental controls
23. Which of the following terms best describes the security domain that aligns most closely with the objective of confidentiality?
A. Access control
B. Compliance
C. Incident management
D. Business continuity
24. The primary objective of the __________ domain is to ensure conformance with GLBA, HIPAA, PCI/DSS, FERPA, and FISMA.
A. Security Policy
B. Compliance
C. Access Control
D. Contract and Regulatory
25. Processes that include responding to a malware infection, conducting forensics investigations, and reporting breaches are included in the _____________ domain.
A. Security Policy
B. Operations and Communications
C. Incident Management
D. Business Continuity Management
26. Which of the following terms best describes a synonym for business continuity?
A. Authorization
B. Authentication
C. Availability
D. Accountability
27. The ____________ can be held legally responsible for the safeguarding of legally protected information.
A. information user
B. information owner
C. information custodian
D. information author
28. Personnel screening, acceptable use, confidentiality agreements, and training are controls that relate to the ______________ domain.
A. Operations and Communications
B. Security Policy
C. Human Resources
D. Legal and Compliance
29. Defining organizational roles, responsibilities, and authority relate to the __________ domain.
A. Operations and Communications
B. Security Policy
C. Governance
D. Legal and Compliance
30. Which of the following security objectives is most important to an organization?
A. Confidentiality
B. Integrity
C. Availability
D. The answer may vary from organization to organization.
1. Define the security term “confidentiality.” Provide an example of a business situation where confidentiality is required.
2. Define the security term “integrity.” Provide an example of a business situation in which the loss of integrity could result in significant harm.
3. Define the security term “availability.” Provide an example of a business situation in which availability is more important than confidentiality.
Exercise 3.2: Understanding Opportunistic Cybercrime
1. Define what is meant by an “opportunistic” crime.
2. Provide an example.
3. Locate (online) a copy of the most recent Verizon Data Breach Incident Report. What percentage of cybercrimes are considered “opportunistic”?
Exercise 3.3: Understanding Hacktivism or DDoS
1. Find a recent news article relating to either hacktivism or a distributed denial of service (DDoS) attack.
2. Summarize the attack.
3. Explain why the attacker was successful (or not).
Exercise 3.4: Understanding NIST and ISO
1. At their respective websites, read the Mission and About sections of both the ISO (www.iso.org) and the NIST Computer Security Resource Center (http://csrc.nist.gov/). Describe the similarities and differences between the organizations.
2. Which do you think is more influential, and why?
Exercise 3.5: Understanding ISO 27002
1. Choose one of the ISO 27002:2013 categories and explain why this domain is of particular interest to you.
2. ISO 27002 Supplier Relationships (Section 15) was added in the 2013 version. Why do you think this section was added?
3. 27002:2013 does not mandate specific controls but leaves it to the organization to select and implement controls that suit them. NIST Special Publications provide specific guidance. In your opinion, which approach is more useful?
1. Survey ten people about the importance of the CIA model to them. Use the following table as a template. Ask them to name three types of data they have on their phone or tablet. For each data type, ask which is more important—that the information on their device be kept confidential (C), be correct (I), or be available (A).
2. Summarize the responses.
3. Are the responses inline with your expectations? Why or why not?
Project 3.2: Preparing a Report Based on the NIST Special Publications 800 Series Directory
1. Locate the NIST Special Publications 800 Series directory.
2. Read through the list of documents. Choose one that interests you and read it.
3. Prepare a report that addresses the following:
a. Why you chose this topic
b. What audience the document was written for
c. Why this document would be applicable to other audiences
d. The various sections of the document
e. Whether the document addresses confidentiality, integrity, or availability
Project 3.3: Preparing a Report on ISO 27001 Certification
1. Research how many organizations are currently ISO 27001 certified.
2. Prepare a report on how an organization achieves ISO 27001 certification.
References
Regulations Cited
“Federal Code 44 U.S.C., Sec. 3542,” accessed on 06/2013, http://uscode.house.gov/download/pls/44C35.txt.
“Federal Information Security Management Act (FISMA),” accessed on 06/2013, http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.
“Public Law 107 – 347 – E-Government Act of 2002,” official website of the U.S. Government Printing Office, accessed on 06/2013, www.gpo.gov/fdsys/pkg/PLAW-107publ347/content-detail.html.
ISO Research
“International Standard ISO/IEC 27001,” First Edition 2005-10-15, published by the ISO, Switzerland.
“International Standard ISO/IEC 27000,” Second Edition 2012-12-01, published by the ISO, Switzerland.
“International Standard ISO/IEC 27002:2013,” Second Edition 2013-10-01, published by the ISO, Switzerland.
“About ISO,” official website of the International Organization for Standardization (ISO), accessed on 06/2013, www.iso.org/iso/home/about.htm.
“A Short History of the ISO 27000 Standards: Official,” The ISO 27000 Directory, accessed on 06/2013, www.27000.org/thepast.htm.
“An Introduction to ISO 27001, ISO 27002, ... ISO 27008,” The ISO 27000 Directory, accessed on 06/2013, www.27000.org/index.htm.
“The ISO/IEC 27000 Family of Information Security Standards,” IT Governance, accessed on 06/2013, www.itgovernance.co.uk/iso27000-family.aspx.
“ISO/IEC 27000 Series,” Wikipedia, accessed on 06/2013, http://en.wikipedia.org/wiki/ISO/IEC_27000-series.
NIST Research
“NIST General Information,” official website of the National Institute of Standards and Technology, accessed on 06/2013, www.nist.gov/public_affairs/general_information.cfm.
“NIST Computer Security Division,” official website of the NIST Computer Security Resource Center, accessed on 06/2013, http://csrc.nist.gov/.
“Federal Information Processing Standards (FIPS) Publications,” official website of the NIST Computer Security Resource Center, accessed on 06/2013, http://csrc.nist.gov/publications/PubsFIPS.html.
“Special Publications (800 Series) Directory,” official website of the NIST Computer Security Resource Center, accessed on 06/2013, http://csrc.nist.gov/publications/PubsSPs.html.
“Special Publications (800 Series) Directory by Legal requirement,” official website of the NIST Computer Security Resource Center, accessed on 06/2013, http://csrc.nist.gov/publications/PubByLR.html.
Other References
“Distributed Denial of Service Attack (DDoS),” Security Search, accessed on 06/2013, http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack.
“Hacktivism,” Wikipedia, accessed on 06/2013, http://en.wikipedia.org/wiki/index.html?curid=162600.
Kuligowski, Christine, “Comparison of IT Security Standards (2009),” accessed on 06/2013, www.federalcybersecurity.org/CourseFiles/WhitePapers/ISOvNIST.pdf.
Metac0m, “What Is Hactivism? 2.0,” published by The Hacktivist, December 2003, accessed on 06/2013, www.thehacktivist.com/whatishacktivism.pdf.
Poulen, K. and Zetter, K. “U.S. Intelligence Analyst Arrested in WikiLeaks Video Probe,” Wired Magazine, accessed on 06/2013, http://www.wired.com/threatlevel/2010/06/leak/.
“What Is WikiLeaks,” WikiLeaks, accessed on 06/2013, http://wikileaks.org/About.html.
“WikiLeaks Fast Facts,” CNN, accessed on 06/01/2013, www.cnn.com/2013/06/03/world/wikileaks-fast-facts/.