This chapter discusses the importance of knowing what information needs to be secured. It outlines the key steps in the security process:
1) Creating an inventory that identifies and values all information assets
2) Establishing baselines to document assets and control any changes
3) Maintaining the integrity of assets through rigorous change management processes like getting approval from authorized decision makers and properly documenting and implementing all changes.
This chapter discusses the importance of knowing what information needs to be secured. It outlines the key steps in the security process:
1) Creating an inventory that identifies and values all information assets
2) Establishing baselines to document assets and control any changes
3) Maintaining the integrity of assets through rigorous change management processes like getting approval from authorized decision makers and properly documenting and implementing all changes.
This chapter discusses the importance of knowing what information needs to be secured. It outlines the key steps in the security process:
1) Creating an inventory that identifies and values all information assets
2) Establishing baselines to document assets and control any changes
3) Maintaining the integrity of assets through rigorous change management processes like getting approval from authorized decision makers and properly documenting and implementing all changes.
Chapter 1: Knowing What to Secure Learning Objectives In this chapter, you begin by understanding what information to secure as information is intangible and difficult to put a dollar value to that asset. At the end of this chapter, the student will know: Why knowing what to secure is the first step in the security process Why information has to be controlled like any other organizational chart Why change has to be rigorously planned for and managed Preparing for Class Instructors should have a good understanding and knowledge of Information Assurance and Security in general. Because this is an introductory chapter, it is beneficial to be able to discuss not just the basics of information assurance, but also how it applies to the real world. The quicker the instructor can help the students understand how this chapter applies to them personally or professionally, the more likely the students will be to actively participate. Prerequisites for Class Ensure that the students are In a computer lab, if possible, for access to the Internet Arranged in the classroom advantageously to ensure maximum participation Fundamentally sound with information security basics 1-1 Information Assurance for the Enterprise Instructors Manual Chapter 1 Class Preparation Notes For this class the students will need Access to a working computer with Internet access A highlighter (its not mandatory if they can take good notes) General Teaching Tips This course has a lot of information that is lecture oriented. Instructor must be creative in bringing the current events that are relevant to the chapters and make it an interactive process of learning. By engaging the students in the learning process, the class discussions will be lively and make the lecture interesting for this very important topic in todays digital world. Discussion Points and Teaching Tips will be provided as necessary for every chapter. Also, web links will be added as necessary for instructors to include them in the classroom. Key Terms Asset Base It is a repository of items identified and labeled for information assurance. Asset Identification It establishes an accurate record of the precise form of the items in the information asset base. Asset Management It assures that the documentation is accurate and that all security policies are correctly implemented. Asset Management Plan It enumerates the activities that make up the entire asset management process. 1-2 Information Assurance for the Enterprise Instructors Manual Chapter 1 Authorized Decision Makers They approve the decision to change the baseline. Baseline It is a catalogue of recorded information item. Baselining It is a process of recording an information item. Change Control It assures that the documentation of the items that exist within the baseline is accurate and that their precise status is known at all times. Change Management It assures continuous integrity by controlling all changes to all formally established baselines. Concrete Architecture It is the lowest-level of the baseline and represents the only tangible depiction of the asset. Controlled Repository This means only authorized people can modify the repository of the baseline. Corrective Action It is the specific response that an organization deploys for a given situation. Countermeasure It is a control that has been deliberately set to counter an identified threat. Decision Maker They are persons who are authorized to approve alterations to the form of the asset base. Disaster Recovery It assures the ability to recover assets after a disaster. Family Tree It is a hierarchical structure of the asset base. Financial Factors It describes the return on investment (ROI) for a given countermeasure. Risk Management It maintains the organizations planned response to all identified threats. 1-3 Information Assurance for the Enterprise Instructors Manual Chapter 1 Status Accounting It maintains a running documentation of all asset baselines and performs the routine reporting activities necessary to transmit that knowledge to the appropriate managers. Timing It is part of the asset management plan that requires users to back up and preserve each baseline. Uncertainty It describes the priority of the threat. Version Management It keeps each authorized version of the asset baselines secure, each in its own repository. Work Practice It establishes a concrete link between each specific item of information and the countermeasures that are set to protect it. Lecture Outline I. Assurance Process A. Inventory 1. Identify and label every useful bit of information 2. Every information item is catalogued 3. A value is assigned to each information item 4. Recoding process is known as baselining 5. Baseline i. Catalogue of information items ii. Starting point for the security response iii. It contains items that are valuable iv. It documents the information resource base 1-4 Information Assurance for the Enterprise Instructors Manual Chapter 1 v. It should be maintained as a living entity throughout the information assurance process vi. It assures an accurate picture of the information base vii. Disciplined process is necessary for control and changes to the baseline B. Ensuring Continuous Knowledge 1. Asset Management i. It establishes and maintains a precise description of the asset base ii. It assures a permanent accurate accounting iii. It enables the status of the asset base 2. Process Implementation i. A plan must be established for a persistent organizational process ii. The plan should precisely specify the process for inventory control iii. The plan must state the status of the information asset iv. The plan must have valid baseline v. The plan must have list of authorized decision makers vi. The plan must identify the risk management function vii. Disaster Recovery Plan assures ability to recover assets after disaster viii. The plan must define timing and the execution steps required to back up and preserve each baseline 1-5 Information Assurance for the Enterprise Instructors Manual Chapter 1 ix. The steps to recover assets must be sequenced and scheduled 3. Asset Identification i. It establishes an accurate record of the precise form of the items in the information asset base ii. It is based on a formal identification scheme iii. Everything worth protecting should be identified and labeled properly iv. The identification scheme is guided by the business case v. In the labeling process, the first pass should be all- encompassing vi. The second pass details each of the large components vii. Refer to Figure 1-1 (Page 5) for Hierarchy of documentation baselines viii. Hierarchical is the most common model for representing the components of a baseline ix. Refer to Figure 1-2 (Page 6) for Increasing levels of assurance controls x. Concrete Architecture represents only tangible depiction of the asset 4. Control of Change i. Change is a continuous process ii. Control of change means managing the natural evolution of an entity while preserving its overall integrity 1-6 Information Assurance for the Enterprise Instructors Manual Chapter 1 iii. Changes to the baseline change the protection requirements 5. Status Accounting i. It maintains running documentation of all asset baselines ii. It performs routine reporting activities iii. Normally, information resource manager is responsible for status accounting iv. The manager is also referred to as baseline manager 6. Asset Evaluation i. It assures the operational integrity of the asset base itself ii. It involves a formal inspection of a designated baseline iii. Evaluations are conducted routinely, on a scheduled basis iv. Evaluations assess the degree of correctness of the baseline v. Results of the evaluations are communicated appropriately 7. Version Management i. It maintains records of all current versions ii. All previous versions are archived separately iii. Archives provide a rollback capability in case of disaster C. Maintaining Integrity 1. Establishing the Checkpoint i. Integrity of information is a critical quality for assurance ii. Refer to Figure 1-4 (Page 10) for Generic Asset baseline change management process 1-7 Information Assurance for the Enterprise Instructors Manual Chapter 1 iii. A single identified checkpoint in the organization must be established for change coordination iv. Single checkpoint assures that the responsible party approves the required changes to a secured baseline 2. Documenting the Decision i. Documentation format must be standardized ii. Any change request must be clearly applied throughout the organization 3. Assigning Authority i. Responsible party makes the decision ii. It assures accountability iii. Decision-making authority has to assigned formally iv. Baseline changes can only be approved by the authorized decision maker v. To assure integrity, the decision maker empowered to approve changes must also be authorized to enforce the decisions 4. Implementing the Change i. High-impact change approval might come from an executive decision ii. Change is made once authorization is received iii. To assure integrity, the change is inspected and verified iv. For a major change, entire baseline should be audited to verify that integrity has been maintained 1-8 Information Assurance for the Enterprise Instructors Manual Chapter 1 v. The labeling is modified to reflect the form of the new baseline 5. Accounting for Information i. Formal organizational accounting function assures the asset base contents are accurate and known ii. It allows users to document and record all transactions for the affected baseline 6. Other Considerations i. Keep track of the individual requesting changes ii. It allows security managers to validate sensitivity iii. For complex situations, asset baselines must evolve through a single integrated and coordinated function iv. Uncontrolled changes are threats to information integrity II. Establishing the Assurance Function A. Basing the Response on the Risks 1. A control set to counter an identified threat is a countermeasure 2. Inventory of risks and associated countermeasures must be identified 3. Risk assessment requires accurate understanding of the precise threat-countermeasure relationship factors as follows: i. Timing Requirements Corrective action depends on the ability to deliver in sufficient time ii. Corrective Action Requirements It is a specific response that an organization deploys for a given situation 1-9 Information Assurance for the Enterprise Instructors Manual Chapter 1 iii. Financial Factors It describes the Return on Investment (ROI) for a given countermeasure iv. Likelihood The frequency of the threat occurrence and the extent of the harm that might result B. Hoping for the Best and Planning for the Worst 1. Uncertainty factor must be considered in a threat assessment 2. Uncertainty is expressed as a level of confidence 3. Threat assessment is not an exact science, thus it must be understood to build response C. Documenting the Countermeasures 1. Risk analysis identifies what information assets an organization holds 2. Organization also knows the threat levels to every item in the baseline 3. Refer to Figure 1-5 (Page 16) for relationship between the asset baseline and the control baseline III. Documenting the Assurance Solution A. Sequence and Timing 1. Countermeasures are not applied at the same time 2. Countermeasures must be sequenced properly 3. Sequence must be determined in the design process for countermeasures B. Monitoring 1-10 Information Assurance for the Enterprise Instructors Manual Chapter 1 1. It assures that the relationship between the information and its countermeasures will be supervised 2. It allows the organization to continuously evolve the countermeasures it needs as threats rise C. Accountabilities 1. Individual supervisory roles and responsibilities must be defined for each countermeasure D. Documentation and Reporting 1. Information to be captured and recorded must be identified 2. Management reports to be produced must be identified E. Problem Resolution 1. Problems resolution must be stated 2. The problem resolution process must be identified IV. Keeping the System Aligned A. The baseline must be properly aligned with the evolution of the operating infrastructure of the organization B. Continuous monitoring, adjustment, and updating of the baseline is important C. Feedback system is important as it generates a high degree of organizational buy-in Teaching Tip This chapter gives an overview of the information items that needs to be secured. Instructors can bring in current events such as how information was lost when Hurricane Katrina hit the Gulf Coast Region. Companies that did not have any Disaster Recovery 1-11 Information Assurance for the Enterprise Instructors Manual Chapter 1 plan where struggling after the floods in New Orleans. You can ask students to give examples of what needs to be secured in a house and what not as a risk management plan. Instructor can group students and ask them to identify items that needs to be secured and prioritize. Discussion point There are many discussion questions for the class under the Cross Check section in this chapter. Instructors can utilize these questions to provide some critical thinking discussions in the classroom. Key Terms Quiz Use the terms from the Key Terms list to complete the sentences that follow. Dont use the same term more than once. Not all terms will be used. 1. Testing to refine the control set in its operational environment is called ______. 2. Each information item is identified by a unique and appropriate ______. 3. Essentially, ______ types of baselines are involved in asset management. 4. The baseline that provides the specific assurance function is called the ______. 5. The goal of authorization is to assure that the designated ______ authorizes all changes to information and control ______. 6. Implementing work practices involves consideration of their ______. 7. Threats to information are identified by means of a ______. 8. ______ is necessary because an organizations information can legitimately be in more than one form, tax records for instance. 9. Measures to resolve problems are called ______. 10. ______ maintains an up-to-date record of the form of the asset. 1-12 Information Assurance for the Enterprise Instructors Manual Chapter 1 Answers 1. Testing to refine the control set in its operational environment is called change control. 2. Each information item is identified by a unique and appropriate asset identification. 3. Essentially, family tree types of baselines are involved in asset management. 4. The baseline that provides the specific assurance function is called the change management. 5. The goal of authorization is to assure that the designated decision maker authorizes all changes to information and control baseline. 6. Implementing work practices involves consideration of their countermeasures. 7. Threats to information are identified by means of a risk management. 8. Version management is necessary because an organizations information can legitimately be in more than one form, tax records for instance. 9. Measures to resolve problems are called corrective action. 10. Status Accounting maintains an up-to-date record of the form of the asset. 1-13 Information Assurance for the Enterprise Instructors Manual Chapter 1 Multiple Choice Quiz 1. Information asset management: A. is irrelevant to information assurance B. implements policy C. involves AT&E D. is unnecessary 2. Baselines: A. are abstract B. are intangible C. are hierarchical D. must be programmed 3. The process of formulating the control set should be based on: A. best guess B. confidence C. iteration D. a sense of humor 4. To do its work properly, the status accounting function relies on the use of: A. code reviews B. repositories C. controls D. verifications 1-14 Information Assurance for the Enterprise Instructors Manual Chapter 1 5. Information asset management is always based on: A. a plan B. an analysis C. best guess D. best practice 6. Version management is necessary because: A. there are often multiple examples of the same information B. software comes in multiple versions C. there might be two organizations involved D. versions are difficult to identify 7. A disciplined change process is necessary because: A. discipline is important B. the protection scheme must be continuously aligned to the business case C. items that are left out of the protection scheme will still be protected D. change never happens 8. Documented baselines serve as: A. a warning against threats B. the model for good security practice C. the basis for access control D. a proxy for the information asset itself 1-15 Information Assurance for the Enterprise Instructors Manual Chapter 1 Answers 1. B 2. C 3. B 4. B 5. A 6. A 7. B 8. B Essay Quiz 1. Why is it important to control changes to asset baselines? 2. Why is the labeling process approached hierarchically? 3. Differentiate asset baselines from control baselines. 4. How do the asset management procedures relate to overall information assurance policy? 5. What is the role of risk assessment when it comes to baseline formulation? 6. Why is organizational buy-in so important to good asset management? 7. What is the purpose of version management, why is it necessary, what are the outcomes if it is not practiced? 8. Why is it logical to begin the information assurance process with an information identification step? 9. Why must labels be unique, what purpose does unique labeling serve in the real world? 1-16 Information Assurance for the Enterprise Instructors Manual Chapter 1 10. Why is assignment of accountability important? What would be the consequence of not having it? Answers 1. Why is it important to control changes to asset baselines? It assures the integrity and correctness of a baseline. Also, it allows for the maintenance of continuous knowledge about status. 1-17 Information Assurance for the Enterprise Instructors Manual Chapter 1 2. Why is the labeling process approached hierarchically? The most common model for representing the components of a baseline is hierarchical. The labeling employed to characterize the relationship of each individual component to all other components is based on and reflects the hierarchical structure. The labels must be unique and should designate and describe the position of the item in the overall family tree of the asset base. 3. Differentiate asset baselines from control baselines. Asset baseline describes the components of the baseline at a high level of functioning. It focuses on communicating the general form of the asset base to managers and users. On the other hand, control baselines are at the lower level of hierarchical components and are detailed in nature. 4. How do the asset management procedures relate to overall information assurance policy? Asset management establishes and maintains a precise description of the information asset base, its constituent elements, and their interrelationship. It assures that the documentation is accurate and that all security policies are correctly implemented. Asset management process is composed of six interdependent activities Process Implementation, Asset Identification, Control of Change, Status Accounting, Asset Evaluation and Version Management. 5. What is the role of risk assessment when it comes to baseline formulation? The risk assessment produces an initial characterization of the type and origin of all reasonable threats to a particular information item. For every identified threat, a potential countermeasure is determined. Counter measures are based on the 1-18 Information Assurance for the Enterprise Instructors Manual Chapter 1 four factors - Timing requirements, Corrective action requirements, Financial factors and Likelihood. 6. Why is organizational buy-in so important to good asset management? Since generating a baseline for all information assets to be secured is the first step in having a good secure policy, the buy-in from all levels of organization is very important. 7. What is the purpose of version management, why is it necessary, what are the outcomes if it is not practiced? Version Management is necessary as there are usually simultaneous representations of the same asset baseline. All versions are archived separately and thus can provide a rollback capability in the case of disaster, as well as serve as a source of time-series data for root cause analysis. If version management is not practiced then it will be difficult to recover after a disaster. 8. Why is it logical to begin the information assurance process with an information identification step? Information identification is a critical step as the organization does not know what to secure then how can an assurance process be developed? So, all critical information asset should be identified that needs to be protected. 9. Why must labels be unique, what purpose does unique labeling serve in the real world? Labels must be unique as it identifies the item, name of the baseline and version designation. Labels provide a logical framework based on their interrelationships 1-19 Information Assurance for the Enterprise Instructors Manual Chapter 1 and interdependencies. Thus, the structure of the hierarchical process can be identified clearly. 1-20 Information Assurance for the Enterprise Instructors Manual Chapter 1 10. Why is assignment of accountability important? What would be the consequence of not having it? It is important that a person is identified for the responsibilities and accountability for the specific baseline items. If there is no accountability then there will be no integrity of the process. Case Exercise Complete the following case exercise as directed by your instructor: Refer to the Heavy Metal Technology Case in Appendix A. You have been assigned the baseline management responsibility for the project to upgrade the target acquisition and display (TADS) for the AH64-D Apache Longbow attack helicopter. To start the process, you know you must first identify and array a complete and coherent baseline of high-level documentation items. Using the project materials outlined in the case (and others you want to add because you feel they are appropriate), perform the following tasks: Identify all distinct types of documentation. Relate these documentation items to each other. If there are implied relationships, what are they? Provide unique labels for each item that reflects their relationship to each other and through which another reader could easily see that relationship. Formulate these items into a coherent baseline. Define a change control system to assure that the integrity of each of these items will be preserved over time Justify the effectiveness of that control scheme. 1-21