Chapter 1

Information Assurance for the Enterprise
Instructors Manual Chapter 1

Chapter 1: Knowing What to Secure
Learning Objectives
In this chapter, you begin by understanding what information to secure as
information is intangible and difficult to put a dollar value to that asset. At the
end of this chapter, the student will know:
Why knowing what to secure is the first step in the security process
Why information has to be controlled like any other organizational chart
Why change has to be rigorously planned for and managed
Preparing for Class
Instructors should have a good understanding and knowledge of Information
Assurance and Security in general. Because this is an introductory chapter, it is
beneficial to be able to discuss not just the basics of information assurance, but
also how it applies to the real world. The quicker the instructor can help the
students understand how this chapter applies to them personally or professionally,
the more likely the students will be to actively participate.
Prerequisites for Class
Ensure that the students are
In a computer lab, if possible, for access to the Internet
Arranged in the classroom advantageously to ensure maximum participation
Fundamentally sound with information security basics
1-1
Class Preparation Notes
For this class the students will need
Access to a working computer with Internet access
A highlighter (its not mandatory if they can take good notes)
General Teaching Tips
This course has a lot of information that is lecture oriented. Instructor must be
creative in bringing the current events that are relevant to the chapters and make it
an interactive process of learning.
By engaging the students in the learning process, the class discussions will be
lively and make the lecture interesting for this very important topic in todays
digital world.
Discussion Points and Teaching Tips will be provided as necessary for every
chapter. Also, web links will be added as necessary for instructors to include
them in the classroom.
Key Terms
Asset Base It is a repository of items identified and labeled for information
assurance.
Asset Identification It establishes an accurate record of the precise form of the
items in the information asset base.
Asset Management It assures that the documentation is accurate and that all
security policies are correctly implemented.
Asset Management Plan It enumerates the activities that make up the entire
asset management process.
1-2
Authorized Decision Makers They approve the decision to change the
baseline.
Baseline It is a catalogue of recorded information item.
Baselining It is a process of recording an information item.
Change Control It assures that the documentation of the items that exist within
the baseline is accurate and that their precise status is known at all times.
Change Management It assures continuous integrity by controlling all changes
to all formally established baselines.
Concrete Architecture It is the lowest-level of the baseline and represents the
only tangible depiction of the asset.
Controlled Repository This means only authorized people can modify the
repository of the baseline.
Corrective Action It is the specific response that an organization deploys for a
given situation.
Countermeasure It is a control that has been deliberately set to counter an
identified threat.
Decision Maker They are persons who are authorized to approve alterations to
the form of the asset base.
Disaster Recovery It assures the ability to recover assets after a disaster.
Family Tree It is a hierarchical structure of the asset base.
Financial Factors It describes the return on investment (ROI) for a given
countermeasure.
Risk Management It maintains the organizations planned response to all
identified threats.
1-3
Status Accounting It maintains a running documentation of all asset baselines
and performs the routine reporting activities necessary to transmit that knowledge
to the appropriate managers.
Timing It is part of the asset management plan that requires users to back up
and preserve each baseline.
Uncertainty It describes the priority of the threat.
Version Management It keeps each authorized version of the asset baselines
secure, each in its own repository.
Work Practice It establishes a concrete link between each specific item of
information and the countermeasures that are set to protect it.
Lecture Outline
I. Assurance Process
A. Inventory
1. Identify and label every useful bit of information
2. Every information item is catalogued
3. A value is assigned to each information item
4. Recoding process is known as baselining
5. Baseline
i. Catalogue of information items
ii. Starting point for the security response
iii. It contains items that are valuable
iv. It documents the information resource base
1-4
v. It should be maintained as a living entity throughout the
information assurance process
vi. It assures an accurate picture of the information base
vii. Disciplined process is necessary for control and changes to
the baseline
B. Ensuring Continuous Knowledge
1. Asset Management
i. It establishes and maintains a precise description of the
asset base
ii. It assures a permanent accurate accounting
iii. It enables the status of the asset base
2. Process Implementation
i. A plan must be established for a persistent organizational
process
ii. The plan should precisely specify the process for inventory
control
iii. The plan must state the status of the information asset
iv. The plan must have valid baseline
v. The plan must have list of authorized decision makers
vi. The plan must identify the risk management function
vii. Disaster Recovery Plan assures ability to recover assets
after disaster
viii. The plan must define timing and the execution steps
required to back up and preserve each baseline
1-5
ix. The steps to recover assets must be sequenced and
scheduled
3. Asset Identification
i. It establishes an accurate record of the precise form of the
items in the information asset base
ii. It is based on a formal identification scheme
iii. Everything worth protecting should be identified and
labeled properly
iv. The identification scheme is guided by the business case
v. In the labeling process, the first pass should be all-
encompassing
vi. The second pass details each of the large components
vii. Refer to Figure 1-1 (Page 5) for Hierarchy of
documentation baselines
viii. Hierarchical is the most common model for representing
the components of a baseline
ix. Refer to Figure 1-2 (Page 6) for Increasing levels of
assurance controls
x. Concrete Architecture represents only tangible depiction of
the asset
4. Control of Change
i. Change is a continuous process
ii. Control of change means managing the natural evolution of
an entity while preserving its overall integrity
1-6
iii. Changes to the baseline change the protection requirements
5. Status Accounting
i. It maintains running documentation of all asset baselines
ii. It performs routine reporting activities
iii. Normally, information resource manager is responsible for
status accounting
iv. The manager is also referred to as baseline manager
6. Asset Evaluation
i. It assures the operational integrity of the asset base itself
ii. It involves a formal inspection of a designated baseline
iii. Evaluations are conducted routinely, on a scheduled basis
iv. Evaluations assess the degree of correctness of the baseline
v. Results of the evaluations are communicated appropriately
7. Version Management
i. It maintains records of all current versions
ii. All previous versions are archived separately
iii. Archives provide a rollback capability in case of disaster
C. Maintaining Integrity
1. Establishing the Checkpoint
i. Integrity of information is a critical quality for assurance
ii. Refer to Figure 1-4 (Page 10) for Generic Asset baseline
change management process
1-7
iii. A single identified checkpoint in the organization must be
established for change coordination
iv. Single checkpoint assures that the responsible party
approves the required changes to a secured baseline
2. Documenting the Decision
i. Documentation format must be standardized
ii. Any change request must be clearly applied throughout the
organization
3. Assigning Authority
i. Responsible party makes the decision
ii. It assures accountability
iii. Decision-making authority has to assigned formally
iv. Baseline changes can only be approved by the authorized
decision maker
v. To assure integrity, the decision maker empowered to
approve changes must also be authorized to enforce the
decisions
4. Implementing the Change
i. High-impact change approval might come from an
executive decision
ii. Change is made once authorization is received
iii. To assure integrity, the change is inspected and verified
iv. For a major change, entire baseline should be audited to
verify that integrity has been maintained
1-8
v. The labeling is modified to reflect the form of the new
baseline
5. Accounting for Information
i. Formal organizational accounting function assures the asset
base contents are accurate and known
ii. It allows users to document and record all transactions for
the affected baseline
6. Other Considerations
i. Keep track of the individual requesting changes
ii. It allows security managers to validate sensitivity
iii. For complex situations, asset baselines must evolve through
a single integrated and coordinated function
iv. Uncontrolled changes are threats to information integrity
II. Establishing the Assurance Function
A. Basing the Response on the Risks
1. A control set to counter an identified threat is a countermeasure
2. Inventory of risks and associated countermeasures must be
identified
3. Risk assessment requires accurate understanding of the precise
threat-countermeasure relationship factors as follows:
i. Timing Requirements Corrective action depends on the
ability to deliver in sufficient time
ii. Corrective Action Requirements It is a specific response
that an organization deploys for a given situation
1-9
iii. Financial Factors It describes the Return on Investment
(ROI) for a given countermeasure
iv. Likelihood The frequency of the threat occurrence and
the extent of the harm that might result
B. Hoping for the Best and Planning for the Worst
1. Uncertainty factor must be considered in a threat assessment
2. Uncertainty is expressed as a level of confidence
3. Threat assessment is not an exact science, thus it must be
understood to build response
C. Documenting the Countermeasures
1. Risk analysis identifies what information assets an organization
holds
2. Organization also knows the threat levels to every item in the
baseline
3. Refer to Figure 1-5 (Page 16) for relationship between the asset
baseline and the control baseline
III. Documenting the Assurance Solution
A. Sequence and Timing
1. Countermeasures are not applied at the same time
2. Countermeasures must be sequenced properly
3. Sequence must be determined in the design process for
countermeasures
B. Monitoring
1-10
1. It assures that the relationship between the information and its
countermeasures will be supervised
2. It allows the organization to continuously evolve the
countermeasures it needs as threats rise
C. Accountabilities
1. Individual supervisory roles and responsibilities must be defined
for each countermeasure
D. Documentation and Reporting
1. Information to be captured and recorded must be identified
2. Management reports to be produced must be identified
E. Problem Resolution
1. Problems resolution must be stated
2. The problem resolution process must be identified
IV. Keeping the System Aligned
A. The baseline must be properly aligned with the evolution of the operating
infrastructure of the organization
B. Continuous monitoring, adjustment, and updating of the baseline is
important
C. Feedback system is important as it generates a high degree of
organizational buy-in
Teaching Tip
This chapter gives an overview of the information items that needs to be secured.
Instructors can bring in current events such as how information was lost when Hurricane
Katrina hit the Gulf Coast Region. Companies that did not have any Disaster Recovery
1-11
plan where struggling after the floods in New Orleans. You can ask students to give
examples of what needs to be secured in a house and what not as a risk management
plan. Instructor can group students and ask them to identify items that needs to be
secured and prioritize.
Discussion point
There are many discussion questions for the class under the Cross Check section in this
chapter. Instructors can utilize these questions to provide some critical thinking
discussions in the classroom.
Key Terms Quiz
Use the terms from the Key Terms list to complete the sentences that follow.
Dont use the same term more than once. Not all terms will be used.
1. Testing to refine the control set in its operational environment is called ______.
2. Each information item is identified by a unique and appropriate ______.
3. Essentially, ______ types of baselines are involved in asset management.
4. The baseline that provides the specific assurance function is called the ______.
5. The goal of authorization is to assure that the designated ______ authorizes all
changes to information and control ______.
6. Implementing work practices involves consideration of their ______.
7. Threats to information are identified by means of a ______.
8. ______ is necessary because an organizations information can legitimately be in
more than one form, tax records for instance.
9. Measures to resolve problems are called ______.
10. ______ maintains an up-to-date record of the form of the asset.
1-12
Answers
1. Testing to refine the control set in its operational environment is called change
control.
2. Each information item is identified by a unique and appropriate asset
identification.
3. Essentially, family tree types of baselines are involved in asset management.
4. The baseline that provides the specific assurance function is called the change
management.
5. The goal of authorization is to assure that the designated decision maker
authorizes all changes to information and control baseline.
6. Implementing work practices involves consideration of their countermeasures.
7. Threats to information are identified by means of a risk management.
8. Version management is necessary because an organizations information can
legitimately be in more than one form, tax records for instance.
9. Measures to resolve problems are called corrective action.
10. Status Accounting maintains an up-to-date record of the form of the asset.
1-13
Multiple Choice Quiz
1. Information asset management:
A. is irrelevant to information assurance
B. implements policy
C. involves AT&E
D. is unnecessary
2. Baselines:
A. are abstract
B. are intangible
C. are hierarchical
D. must be programmed
3. The process of formulating the control set should be based on:
A. best guess
B. confidence
C. iteration
D. a sense of humor
4. To do its work properly, the status accounting function relies on the use of:
A. code reviews
B. repositories
C. controls
D. verifications
1-14
5. Information asset management is always based on:
A. a plan
B. an analysis
C. best guess
D. best practice
6. Version management is necessary because:
A. there are often multiple examples of the same information
B. software comes in multiple versions
C. there might be two organizations involved
D. versions are difficult to identify
7. A disciplined change process is necessary because:
A. discipline is important
B. the protection scheme must be continuously aligned to the business case
C. items that are left out of the protection scheme will still be protected
D. change never happens
8. Documented baselines serve as:
A. a warning against threats
B. the model for good security practice
C. the basis for access control
D. a proxy for the information asset itself
1-15
Answers
1. B
2. C
3. B
4. B
5. A
6. A
7. B
8. B
Essay Quiz
1. Why is it important to control changes to asset baselines?
2. Why is the labeling process approached hierarchically?
3. Differentiate asset baselines from control baselines.
4. How do the asset management procedures relate to overall information assurance
policy?
5. What is the role of risk assessment when it comes to baseline formulation?
6. Why is organizational buy-in so important to good asset management?
7. What is the purpose of version management, why is it necessary, what are the
outcomes if it is not practiced?
8. Why is it logical to begin the information assurance process with an information
identification step?
9. Why must labels be unique, what purpose does unique labeling serve in the real
world?
1-16
10. Why is assignment of accountability important? What would be the consequence
of not having it?
Answers
1. Why is it important to control changes to asset baselines?
It assures the integrity and correctness of a baseline. Also, it allows for the
maintenance of continuous knowledge about status.
1-17
2. Why is the labeling process approached hierarchically?
The most common model for representing the components of a baseline is
hierarchical. The labeling employed to characterize the relationship of each
individual component to all other components is based on and reflects the
hierarchical structure. The labels must be unique and should designate and
describe the position of the item in the overall family tree of the asset base.
3. Differentiate asset baselines from control baselines.
Asset baseline describes the components of the baseline at a high level of
functioning. It focuses on communicating the general form of the asset base to
managers and users. On the other hand, control baselines are at the lower level of
hierarchical components and are detailed in nature.
4. How do the asset management procedures relate to overall information assurance
policy?
Asset management establishes and maintains a precise description of the
information asset base, its constituent elements, and their interrelationship. It
assures that the documentation is accurate and that all security policies are
correctly implemented. Asset management process is composed of six
interdependent activities Process Implementation, Asset Identification, Control
of Change, Status Accounting, Asset Evaluation and Version Management.
5. What is the role of risk assessment when it comes to baseline formulation?
The risk assessment produces an initial characterization of the type and origin of
all reasonable threats to a particular information item. For every identified threat,
a potential countermeasure is determined. Counter measures are based on the
1-18
four factors - Timing requirements, Corrective action requirements, Financial
factors and Likelihood.
6. Why is organizational buy-in so important to good asset management?
Since generating a baseline for all information assets to be secured is the first step
in having a good secure policy, the buy-in from all levels of organization is very
important.
7. What is the purpose of version management, why is it necessary, what are the
outcomes if it is not practiced?
Version Management is necessary as there are usually simultaneous
representations of the same asset baseline. All versions are archived separately
and thus can provide a rollback capability in the case of disaster, as well as serve
as a source of time-series data for root cause analysis. If version management is
not practiced then it will be difficult to recover after a disaster.
8. Why is it logical to begin the information assurance process with an information
identification step?
Information identification is a critical step as the organization does not know what
to secure then how can an assurance process be developed? So, all critical
information asset should be identified that needs to be protected.
9. Why must labels be unique, what purpose does unique labeling serve in the real
world?
Labels must be unique as it identifies the item, name of the baseline and version
designation. Labels provide a logical framework based on their interrelationships
1-19
and interdependencies. Thus, the structure of the hierarchical process can be
identified clearly.
1-20
10. Why is assignment of accountability important? What would be the consequence
of not having it?
It is important that a person is identified for the responsibilities and accountability
for the specific baseline items. If there is no accountability then there will be no
integrity of the process.
Case Exercise
Complete the following case exercise as directed by your instructor:
Refer to the Heavy Metal Technology Case in Appendix A. You have been
assigned the baseline management responsibility for the project to upgrade the
target acquisition and display (TADS) for the AH64-D Apache Longbow attack
helicopter. To start the process, you know you must first identify and array a
complete and coherent baseline of high-level documentation items. Using the
project materials outlined in the case (and others you want to add because you feel
they are appropriate), perform the following tasks:
Identify all distinct types of documentation.
Relate these documentation items to each other. If there are implied
relationships, what are they?
Provide unique labels for each item that reflects their relationship to each
other and through which another reader could easily see that relationship.
Formulate these items into a coherent baseline.
Define a change control system to assure that the integrity of each of these
items will be preserved over time
Justify the effectiveness of that control scheme.
1-21

Chapter 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1

Uploaded by

Copyright:

Available Formats

Information Assurance for the Enterprise

Instructors Manual Chapter 1

You might also like