Chapter-7.pptx

Dilla University
College of Engineering and Technology
Department of Computer Science
Computer Security /CoSc 582
Chapter Seven
Information Security
Fiseha B. (MSc.) May 2014 ,Dilla
University, Department of Computer
Science
1

Outline
Part I
1. Introduction
2. Policy
3. Program Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
Science
2

Introduction
• This chapter focuses on information
security policy:
– What it is
– How to write it
– How to implement it
– How to maintain it
Science
3

Policy
• Policy is an essential foundation of effective infosec
program
• A Security policy is a set of rules that protect an
organization’s assets.
• An organization’s security policies should reflect
– The organization’s goals in creating the policies, and
– The context in which the organization operates.
• The computer and network environment, and
• The organizational environment.
• Private or Public
– Applicable laws, rules and regulations
– Organizational culture.
Science
4

• The success of an information resources
protection program depends on the policy
generated, & on the attitude of
management toward securing information
on automated systems.
• The primary responsibility is to set the
information resource security policy for
the organization with the objectives of
– reduced risk,
– compliance with laws & regulations,
– & assurance of operational continuity,
– information integrity, & confidentiality.”
Cont. …
Science
5

• A quality infosec program begins & ends with policy
• Policies are least expensive means of control & often
the most difficult to implement
• Basic rules to follow when shaping policy:
– Never conflict with law
– Stand up in court
– Properly supported and administered
– Contribute to the success of the organization
– Involve end users of information systems
Cont. …
Science
6

Focus on the systemic solutions, not specifics
Bulls-eye model layers
Science
7

Bulls-eye model layers
1. Policies: first layer of defense
2. Networks: threats first meet
organization’s network
3. Systems: computers & manufacturing
systems
4. Applications: all applications systems
Science
8

• Policies are important reference
documents for internal audits & for
resolution of legal disputes about
management’s due diligence
• Policy documents can act as a clear
statement of management’s intent
Science
9

Science
10

• Policy: plan or course of action that
influences & determines decisions
• Standards: more detailed statement of
what must be done to comply with policy
• Practices, procedures & guidelines:
explain how employees will comply with
policy
Science
11

• For policies to be effective, they must
be:
– Properly disseminated
– Read
– Understood
– Agreed-to
Science
12

• Policies require constant modification &
maintenance
• In order to produce a complete infosec
policy, management must define 3 types
of infosec policy:
– Security Program (General) security
policies
– Issue-specific infosec policies
– Systems-specific infosec policies
Science
13

Security Program (General)
security policies
• The Security Program Policy is an executive
level document.
– Drafted by the Information Security Officer.
– Generally 2 to 10 pages in length.
• It shapes the philosophy of security in the IT
environment.
• It defines the
– Purpose,
– Scope.
– Constraints, and
– Applicability
• of the security program in the organization.
Science
14

Security Program (General)
security policies
• The Security Program Policy assigns
responsibilities for the various areas of
security, including
– System administration,
– Maintenance of security policies, and
– Practices and responsibilities of users.
• Addresses compliance with the security policy
– General compliance to ensure meeting security
requirements,
– Use of specific penalties and disciplinary actions.
Science
15

Issue-Specific Security
Policy (ISSP)
• Issue Specific Security Policies are
guidelines to instruct employees how to use
technologies and processes.
• As the name implies, they are very specific
policies. They
– Address specific areas of technology,
– Require frequent updates,
– Contain statements of the organization’s
position on specific issues
Science
16

ISSP topics could include
• email
• use of Internet & World Wide Web
• specific minimum configurations of
computers to defend against malware
• prohibitions against hacking or testing
organization security controls
• home use of company-owned computer
equipment
• use of personal equipment on company
networks
• use of telecommunications technologies
• use of photocopy equipment
Science
17

Systems-Specific Policies
(SysSPs)
• System-Specific Policies are usually
coded standards and procedures used
while configuring or maintaining
systems:
– For example, an access control list that
defines which users may access a
particular system or data.
Science
18

Systems-Specific Policies
(SysSPs)
• System-Specific Policies can be organized into
two general groups:
– Access Control Lists: Lists, matrices and capability
tables governing the rights and privileges of a
particular user to a particular system. They
• Regulate access, e.g., who, what, when, where, and how.
• Regulate privileges, e.g., read, write, create, modify,
delete, compare, copy.
– Configuration Rules: The specific configuration
information entered into security systems to guide
their behavior.
• They govern the configuration of systems such as
– Firewalls,
– Intrusion detection systems (IDSs), and
– Proxy servers.
Science
19

Guidelines for Policy
Development
• Often useful to view policy development
as a two-part project:
1. Design & develop policy (or redesign
& rewrite outdated policy)
2. Establish management processes to
perpetuate policy within organization
• The former is an exercise in project
management, while the latter requires
adherence to good business practices
Science
20

• Policy development or re-development
projects should be well planned,
properly funded, & aggressively
managed to ensure completion on time &
within budget
• When a policy development project is
undertaken, the project can be guided
by the SecSDLC process
Science
21

1. Investigation Phase
• The policy development team should:
– Obtain support from senior management, &
active involvement of IT management
– Clearly articulate goals of policy project
– Gain participation of correct individuals
affected by recommended policies
– more ...
Science
22

– Be composed from Legal, Human Resources
& end-users
– Assign project champion with sufficient
stature & prestige
– Acquire a capable project manager
– Develop detailed outline of & sound
estimates for, the cost & scheduling of the
project
Science
23

2. Analysis Phase
• Should include the following activities:
• New or recent risk assessment or IT
audit documenting the current infosec
needs of the organization
• Key reference materials, including any
existing policies
Science
24

3 & 4. Design phase
• Should include:
– How policies will be distributed
– How verification of distribution will be
accomplished
– Specifications for any automated tools
– Revisions to feasibility analysis reports
based on improved costs & benefits as
design is clarified
Science
25

5. Implementation Phase
• Write the policies!
• Make certain policies are enforceable as
written
• Policy distribution is not always as
straightforward
• Effective policy:
– Is written at a reasonable reading level
– Attempts to minimize technical jargon &
management terminology
Science
26

One way to measure
readability
Science
27

6. Maintenance Phase
• Maintain & modify policy as needed to ensure that it
remains effective as a tool to meet changing threats
• Policy should have a built-in mechanism via which
users can report problems with the policy, preferably
anonymously
• Periodic review should be built into the process
Science
28

Part II
• Introduction
• Security Standard Criteria and
Product Security Evaluation Process
• Computer Products Evaluation
Standards
• Major Evaluation Criteria
Science
29

Introduction
• Security Evaluation Process
• Security Standards and Criteria
– The Orange Book
– U.S. Federal Criteria
– Information Technology Security
Evaluation Criteria (ITSEC)
– The Trusted Network Interpretation
(TNI): The Red Book
– Common Criteria (CC)
Science
30

Security Standards, Criteria
and Evaluation Process
• Purpose
• Criteria
• Process
• Structure
• Outcome/benefit
Science
31

Purpose of Evaluation
• Certification
• Accreditation
• Evaluation
• Potential market benefit
Science
32

Criteria
• Defines several degrees of rigor
acceptable at each testing level of
security
• Defines the formal requirements the
product need to meet at each Assurance
level
• Assurance levels are based on Trusted
Computer System Evaluation (TCSEC)
Science
33

Process of Evaluation
• Two evaluation directions:
– Product-oriented
– Process-oriented
• 6-steps
– Proposal review
– Technical assessment
– Advice
– Intensive preliminary technical review
– Evaluation
– Rating maintenance phase
Science
34

Structure of Evaluation
• Functionality – what and how much the
product can do
• Effectiveness – whether the product
meets the effectiveness threshold
• Assurance – give buyer assurance and
guarantee
Science
35

Outcome/Benefits
• A great product
– For evaluator, cut down the evaluation cost
without cutting the value of evaluation
– For buyer, result in good product to
enhance the security
• Evaluation of a computer product can be
done using either a standard or a
criteria
Science
36

Computer Products
Evaluation Standards
• American National Standards Institute (ANSI)
• British Standards Institute (BSI)
• Institute of Electrical and Electronic Engineers Standards
Association (IEEE-SA)
• International Information System Security Certification
Consortium (ISC)2
• International Organization for Standardization (ISO)
• National Institute of Standards and Technology (NIST)
• National Security Agency (NSA)
• International Architecture Board (IAB)
• Organization for the Advancement of Structured
Information Standards (OASIS)
• Underwriters Laboratories
• Worldwide Web Consortium (W3C)
Science
37

Major Evaluation Criteria
• The Orange Book
• U.S. Federal Criteria
• Information Technology Security
Evaluation Criteria (ITSEC)
• The Trusted Network Interpretation
(TNI): The Red Book
• Common Criteria (CC)
Science
38

The Orange Book
• Three Objectives
– A yardstick for user
– Guidance for manufacturer
– Basis for security requirements
• Two requirements
– Specific security feature requirements
– Assurance requirements
Science
39

The Orange Book
• Four Assurance Levels: Each division represents
a significant difference in the trust an
individual or organization can place on the
evaluated system.
– Class D – Minimal Protection
– Class C
• C1: Discretionary Security Protection (DSP)
• C2: Controlled Access Protection (CAP)
– Class B
• B1: Labeled Security Protection
• B2: Structured Protection
• B3: Security Domain
– Class A1: Verified Protection
Science
40

Chapter-7.pptx

More Related Content

Similar to Chapter-7.pptx (20)

More from AmanuelZewdie4 (10)

Recently uploaded (20)

Chapter-7.pptx