Enterprise Security Management Practices ◾ 31
© 2011 by Taylor & Francis Group, LLC
and processes in the form of lectures, whitepapers, standards, and guidelines.
ISSMPs would be irresponsible not to leverage this experience. In fact, the previ-
ously documented standards and guidelines provide great resources that ISSMPs
can use to begin to tailor their security programs. Additionally, where conformance
to laws and regulations is required, it is mandatory for ISSMPs to use them as a
foundation for their programs, but modify them for their specic organization’s
environment and requirements.
So, what are these standards and guidelines, and how does the ISSMP use them to
build the policies and other components of the enterprise system security framework?
Standards and Guidelines
First let’s dene the terms. Standards are mandatory, i.e., they must be followed,
and guidelines are provided as suggestions. In a lot of cases organizations publish
standards to state an overall mandatory requirement and then publish more exible
guidelines on how the requirement can be satised. is allows for more exibility
in how the standard will be complied with at the organization or system level.
ere are two sets of standards and guidelines: external and internal. e exter-
nal ones are created by organizations such as government and nonprot groups, e.g.,
the National Institute of Standards and Technology (NIST) and the International
Organization for Standardization and International Electrotechnical Commission
(ISO/IEC). External standards and guidelines are usually driven by regulatory,
professional, or business demands.
NIST was directed by the U.S. Congress to develop and issue standards and
guidelines for government organizations and those working with the government.
NIST is well known for its 800 series of Special Publications (SPs) and its manda-
tory Federal Information Processing Standards (FIPS) related to all aspects of IT
security, which can be found at http://csrc.nist.gov/publications. For the U.S. gov-
ernment and associated organizations, NIST FIPS are standards (mandatory) and
NIST SPs are guidelines.
ISO standards and guidelines are driven by the needs of the international com-
munities to develop something they could use to guide them in securing their
systems. Two of these are well known in the IT security community:
One is a standard, ISO/IEC 15408-3:2008, Evaluation Criteria for IT Security,
which provides the standard framework for the evaluation of individual infor-
mation technology products for conformance to the International Common
Criteria for Information Technology Security Evaluation.
e other is a guideline, ISO/IEC 27002:2005, Code of Practice for Information
Security Management, which “establishes guidelines and general principles
for initiating, implementing, maintaining, and improving information secu-
rity management in an organization.” (Source: http://www.iso.org/iso/iso_
catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=50297)
32 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Currently, NIST is working with public and private sector entities to establish
specic mappings and relationships between the security standards and guidelines
developed by NIST and ISO/IEC.
Some very large organizations have published their own standards and guidelines,
like the U.S. Department of Defense in its 8500 series of directives and instructions
for the U.S. military and the Information Systems Audit and Control Association
(ISACA) IS Standards, Guidelines, and Procedures for Auditing and Control
Professionals (Source: http://www.isaca.org/AMTemplate.cfm?Section=Standards
2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=43089).
Internal standards and guidelines are created by an organization, based on “best
practices,” to provide direction to its employees and partners on how to develop,
operate, interconnect, and maintain the organization’s security. ese are typically
recommended by the ISSMP, but are always approved and promulgated by senior
management. ey are typically referenced or stated in enterprise security policy,
system security plans, operations manuals, and so forth.
Examples of internal standards include the following:
Passwords: Employees will use 12-character passwords, using random combina-
tions of alphanumeric characters, special characters, and upper and lower cases.
Awareness: All employees will complete IT security indoctrination prior to log-
ging on to any system and annual awareness training to maintain access
privileges. Compliance will be reviewed by the Chief Information Security
Ocer (CISO) and formally reported on a quarterly basis to the Chief
Executive Ocer.
Contingency Plan Testing: Contingency plans will be exercised annually for
each IT system.
Examples of guidelines include the following:
Passwords: Systems can use two-factor authentication or higher to meet the
requirements of the standard.
Awareness: Employees will have 30 days to complete their annual IT aware-
ness requirement after notication of noncompliance. Awareness compli-
ance can be reinstated after taking the computer-based training or attending
the monthly IT awareness event.
Contingency Plan Testing: To be compliant with the annual contingency plan
exercise requirement the following is acceptable for the applicable systems:
Low-Impact Systems: Tabletop exercise
Moderate-Impact Systems: Walk-through exercise
High-Impact Systems: Full deployment exercise
Enterprise Security Management Practices ◾ 33
© 2011 by Taylor & Francis Group, LLC
Leveraging Externals to Produce Internals
When developing internal standards, guidelines, and procedures, ISSMPs should
freely use external sources of standards, guidelines, procedures, and best practices to
locate the various options for identifying the best security solution for their systems.
A good example is when looking at creating an outline for their enterprise sys-
tem security framework, ISSMPs can start with the NIST SP 800-18, Guide for
Developing Security Plans for Federal Information Systems, which provides a short
outline for building a generic security plan. Having conducted the work identied
in the rst section of this chapter, the ISSMP can easily complete the rst half of
the plan describing the mission, business functions, goals and objectives, intercon-
nectivity with internal groups and externally with partners, and so forth.
e next item in the plan is the development of the roles and responsibilities,
policies, standards, and guidelines. Identifying roles and responsibilities will be
discussed later in this chapter. e following references are good sources for infor-
mation relative to developing baseline controls:
NIST SP 800-53, Guide for Assessing the Security Controls in Federal Infor-
ma tion Systems
ISO/IEC 27002-2005, Code of Practice for Information Security Management
Department of Defense Instruction (DODI) 8500.2, Information Assurance
(IA) Implementation
Each of these three documents provides a comprehensive list of controls that
should be taken into consideration when securing an IT system. Although the
numbers of families are dierent, the total list of controls within each document is
very similar to the others (Figure1.5).
Since each document was developed for a dierent audience, ISSMPs should
nd which of these documents they are comfortable with and use that control list-
ing to build an outline of the standards, guidelines, and procedures they will need
to develop for their systems.
Note: When developing something others will have to implement and live with,
involve them in the development of the solution or options. Why? Participation pro-
vides education and understanding of the need and ownership for the end solutions.
Other sources for best practices include the following:
Commonly Accepted Security Practices and Regulations (CASPR)—
Developed by the CASPR Project (www.caspr.org), this eort aims to pro-
vide a set of best practices that can be universally applied to any organization
“regardless of industry, size or mission.” CASPR delves into specic tech-
nologies, recommending fundamental principles and practices for creating a
stable and secure IT environment.
34 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
NIST – SP 800-53 ISO – ISO/IEC 27002:2005 DoD – DODI-8500.2
Certification, Accreditation,
and Security Assessments
Security Policy Security Design and
Configuration
Planning Organization of
Information Security
Identification and
Authentication
Risk Assessment Asset Management Enclave and Computing
Environment
System and Services
Acquisition
Human Resources
Security
Enclave Boundary
Defense
Awareness and Training Physical and
Environmental Security
Physical and
Environmental
Configuration Management Personnel
Contingency Planning Communications and
Operations Management
Continuity
Incident Response Access Control Vulnerability and
Incident Management
Maintenance Information Systems
Acquisition, Development,
and Maintenance
Media Protection Information Security
Incident Management
Physical and Environmental
Protection
Business Continuity
Management
Personnel Security Compliance
System and Information
Integrity
Access Control
Audit and Accountability
Identification and
Authentication
System and Communications
Protection
Figure 1.5 Various families of control. (The reference for the ISO chart may be
found at http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_
ics.htm?csnumber=39612.)
Enterprise Security Management Practices ◾ 35
© 2011 by Taylor & Francis Group, LLC
Control Objectives for Information and (Related) Technology (COBIT)—
Developed by IT auditors and made available through the Information
Systems Audit and Control Association (www.isaca.org/cobit.htm), COBIT
provides a framework for assessing a security program, developing a perfor-
mance baseline, and measuring performance over time.
Operationally Critical reat, Asset, and Vulnerability Evaluation
SM
(OCTAVE®)—Created by Carnegie Mellon’s CERT Coordination Center
(www.cert.org/octave), OCTAVE provides measures based on accepted best
practices for evaluating security programs.
NIST Special Publications (http://csrc.nist.gov/publications/PubsSPs.html):
Generally Accepted Principles and Practices for Securing Information
Technology Systems, NIST SP 800-14
Contingency Planning Guide for Information Technology Systems,
NIST SP 800-34
Guideline on Network Security Testing, NIST SP 800-42
Guide for Assessing the Security Controls in Federal Information
Systems, NIST SP 800-53A
Computer Security Incident Handling Guide, NIST SP 800-61
e above steps provide the ISSMP with an understanding of the enterprise’s
systems and the key areas that need to be reviewed. To make the Enterprise System
Security Program successful and cost eective, the ISSMP must ensure that the
program is risk based.
Risk Management Program
e concept of risk management programs is nothing new to organizations. ese
programs are in place at most organizations from the National Sports Organization
for Badminton to the National Aeronautics and Space Administration (NASA).
Organizations nd that having programs that are proactive in preventing failures,
unnecessary costs, or losses are necessary for successfully accomplishing the organi-
zation’s mission by knowing potential risks prior to making decisions. Risks related
to the following should be assessed in order to support optimum management
decision making: producing a new product, reviewing new marketing strategies,
deciding between older proven technical and innovative solutions, determining the
need for changes in operational processes, identifying potential problems in project
schedules, and projecting the impact of security solutions.
With this in mind, the overall objective of a security risk management program
is to identify potential security incidents before they occur, so that
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.