Enterprise Security Management Practices ◾ 11
© 2011 by Taylor & Francis Group, LLC
With this understanding of the groups’ perceptions and expectations, the
ISSMP can determine the best solutions and strategies for promoting security to
each business function. An example of how this works is as follows:
The ISSMP for an R&D company with the majority of personnel being from aca-
demic research groups needed to solve two problems: one security and one
operational. The security problem was to provide controlled access to the build-
ing to replace the existing physical keys and alarm codes solution. The opera-
tional problem was to direct phone calls to individuals wherever they were in the
building. Because researchers are typically in discussions in the offices of other
researchers, the front desk would inform the individual over the public address
system. When the company had 30 employees this was acceptable, but when
the company grew to 100 employees the frequency of pages became disruptive.
The ISSMP researched several solutions and found a solution that was perfect for
both problems: a system with infrared (IR) badges that would track the location of
individuals and direct phone calls to the phone nearest to them. After the solution
was presented to the researchers, they clearly identified that they did not like the
idea of having to wear an external badge and having a record of their movements
maintained. The acceptable solution deployed was to issue each person a proxim-
ity badge they could keep in their wallet, implement a voice mail system, and only
page the individual if it was an emergency.
External Influences
In addition to understanding the internal factors that inuence a system’s security
program, there are two external inuences: customers and competitors. Each of
these has a very profound inuence on the level and type of security to be deployed.
With customers, the ISSMP needs to be aware of their capabilities (computer and
technical) and, like the functional groups employees, their expectations. e ISSMP
should know the following about the customers who are buying the organization’s
products or services over the Internet:
◾ Computer type and capabilities
◾ Connection bandwidth
◾ Technical knowledge and abilities
◾ Span of attention
◾ Security expectations
All of this information can be obtained through market surveys and interviews
with the organization’s reseller sales force personnel.
What the ISSMP needs to know about the competitors is
◾ Reputation for ethical behavior
◾ Industrial espionage capabilities
12 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Technical capabilities
◾ Competitive desire
◾ Success obtaining the organization’s clients
◾ What type of security they use with their clients
Information related to the rst three items can be gained from doing searches on
the Internet and talking with other security professionals. Knowledge of the lat-
ter three can come from the marketing research conducted by the organization’s
competitive analysis.
Why is the above information on the customers and the competitors important?
e ethical reputation, espionage capabilities, technical capabilities, and desire
will support the ISSMP’s risk analysis, which will be discussed later in the chapter
under the risk management sections. e rest of the information is critical in order
to select the right security solution. e following example will help explain this:
Situation: An organization decides to deploy a smartcard solution to verify
online clients before allowing them to purchase products or services. This
smartcard solution is selected because it will achieve close to a 100% secu-
rity solution.
Result: Even though the organization’s advertising is drawing more potential buy-
ers to its site than to any of its competitors, very few people buy at its site.
Why?: Because the potential buyers are “impulse buyers”—they want to buy
now and do not want to wait for a smartcard to come in the mail, and
the competitors are using SSL and static passwords, allowing for immediate
online transactions. Additionally, if the buyers did get the smartcard, where
and how would it be integrated into the environment?
For two real-world examples of this, look at the lack of success with the VISA
and American Express deployment of smartcards to their clients at no cost, with
free smartcard readers and software. Based on informal audience surveys, less than
3% have taken advantage of this free oer. e other example is discussed in the
book KNOW IT Security, in which there is a discussion about deploying customer
authentication for an Internet gambling casino. e online casino allowed players
to use a static password protected by SSL encryption, because if it had made a player
wait for an authentication token, the player would have gone to another casino.
Influence Summary
ere are many things that inuence the deployment of the most ecient and eec-
tive security solutions for an individual system or an enterprise system. e inu-
ences discussed above and summarized in Figure1.1 are mostly related to the type of
business supported and the individuals who interact with the system, both internal
and external to the organization. e ISSMP needs to be aware of these and include
them when recommending the most eective solutions for an information system.
Enterprise Security Management Practices ◾ 13
© 2011 by Taylor & Francis Group, LLC
Additionally, this awareness of the business and the cultures will help to promote
security recommendations to all levels of the organization during senior manage-
ment presentations, resource requests, employee awareness eorts, and so forth.
Information Security Concepts
Before determining what type of security is necessary for securing a specic system,
an ISSMP needs to identify what assets need to be protected and to what degree.
To do this, the ISSMP needs to understand some basic security concepts. ese
concepts include the following:
System Security Requirements: Availability, Integrity, and Condentiality
Business Impact Analysis
Information Classications
Security Categorization
Security Boundaries
is section provides a thorough review of these security concepts.
System Security Requirements
e three key security requirements required by most information systems are
availability, integrity, and condentiality. ey are objectives of an information
system security program and properties that should be included and deployed to
What Influences a System’s Security Program?
Laws and
Regulations
Senior Management
Group Culture
and Expectations
Mission, Goals
and Objectives
Competition
Client Capabilities
and Expectations
Information System
Security Program
Figure 1.1 Business influences.
14 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
most, if not all, information systems. e following are denitions for these three
attributes. e parts within quotes are from SP 800-53; FIPS 200; FIPS 199; or
44 U.S.C., Sec. 3542.
Availability: “Ensuring timely and reliable access to and use of information.”
Availability is impacted by human error, cabling problems, software bugs,
hardware failures, sta absences, malicious code, and the many other threats
that can render a system unusable or unreliable. e requirement for high
availability is a critical requirement for online transactions, ight control,
monitoring, and command and control (C2) systems.
Integrity: “Guarding against improper information modication or destruc-
tion, and includes ensuring information non-repudiation and authenticity.”
is is the requirement to ensure that the accuracy of the information is
maintained when residing on the system, being correctly processed, or being
transmitted from or to the system. e goal is to ensure that the information
is not intentionally or accidentally corrupted. Integrity is critical to commer-
cial and military tracking, safety, production, and nancial systems.
Condentiality: “Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information.” is requirement prevents the unauthorized disclosure of infor-
mation while on the system, during transmission to other systems, and during
the physical transfer of information from one location to another. is property
is a key objective in systems with intellectual property, trade secrets, individual
healthcare and personally identiable information, and classied documents.
It would be totally cost prohibitive for organizations to provide all systems with
a maximum level of protection. Fortunately, dierent systems require dierent lev-
els of these properties depending on levied legal and regulatory requirements and,
most importantly, on the impact that could result if one of these capabilities was
lacking. It is the ISSMP’s responsibility to determine how much protection related
to these three properties is needed to meet legal, regulatory, and business security
requirements. en the ISSMP must gain senior management’s approval to imple-
ment recommended safeguards or accept the risk.
Security Impact Analysis
e need for these properties on diverse systems will vary. Some systems will
require very strong condentiality (High), such as national intelligence systems.
Others may require no condentiality, such as the public information systems in
the Library of Congress. Other systems will require varying degrees of condential-
ity. Similarly, the levels of availability and integrity for a system used for purchasing
shoes online and a system presenting airplane tracks to an air controller will be very
dierent. Identifying the dierence is critical to identifying the level of protection a
Enterprise Security Management Practices ◾ 15
© 2011 by Taylor & Francis Group, LLC
system requires. It requires a subjective look at all of the business or mission specif-
ics to determine which of the three are required and at what level: Low, Moderate,
or High.
In an attempt to provide some guidance to the commercial and government
sectors, the National Institute of Standards and Technology (NIST) published
guidance in their 800 series of Special Publications by linking these levels to the
magnitude of impact. Basically, the levels are dened as shown in Table1.3.
As mentioned above, each system has a very dierent mission, business model,
and potential impact level. erefore, Table1.3 and NIST guidance are very gen-
eral, but give the organization a reference for conducting its analysis. is analysis
must include an honest review of the system to determine the potential impact
on operations, assets (tangible and intangible, e.g., reputation), and individuals
(employees, surrounding public, clients, etc.) so that management can begin to
identify the impact and determine what levels of availability, integrity, and con-
dentiality are appropriate. Again, it is the ISSMP’s responsibility to help the system
owner determine this and senior management’s responsibility to approve remedia-
tion or risk acceptance.
How does the ISSMP do this analysis? One way is to do an impact analysis.
During the discussion of missions, goals, and objectives, systems with dierent goals
are identied, each requiring dierent levels of availability, integrity, and assurance.
Using some of those systems, the following provides a general look at how a manager
would analyze dierent systems and approximate what the requirements could be:
Providing Information to the Public:
Availability: Depends on how time critical the information is to the opera-
tions or decision-making needs of the receiver: airplane tracking infor-
mation to trac controllers is High, because people could die from plane
Table1.3 Magnitude of Impact
Potential
Impact Overall
Organizational
Operations
Organizational
Assets Individuals
High Catastrophic
or severe
Severe
degradation or
loss of capability
Major damage Loss of life
or life-
threatening
injuries
Moderate Serious Significant
degradation
Significant
damage
Significant
harm
Low Limited Some
degradation
Minor
damage
Minor or
no harm
Source: This table was created from various descriptions provided in NIST SP 800-
30, 800-64, 800-53, and FIPS-199.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.