CMPS 319

Blueprint For Security

Chapter 6
Begin with the end in mind
-- Stephen Covey
 Learning Objectives:
Upon completion of this material you should be able
to:
Understand management’s responsibilities and role in the
development, maintenance, and enforcement of information security
policy, standards, practices, procedures, and guidelines.
Understand the differences between the organization’s general
information security policy and the needs and objectives of the
various issue-specific and system-specific policies the organization
will create.
Know what an information security blueprint is and what its major
components are.
Understand how an organization institutionalizes its policies,
standards, and practices using education, training and awareness
programs.
Become familiar with what viable information security architecture is,
what it includes, and how it is used.

Principles of Information Security - Chapter 6 Slide # 2

 Introduction
The creation of an information security program
begins with an information security blueprint, and
before we can discuss the creation and
development of a blueprint, it is important to look at
management’s responsibility in shaping policy.
It is prudent for information security professionals to
know the information security polices and how
these policies contribute to the overall objectives of
the organization.

Principles of Information Security - Chapter 6 Slide # 3

 Information Security Policy,
Standards and Practices
Management from all communities of interest must
consider policies as the basis for all information
security efforts
Policies direct how issues should be addressed and
technologies used
Security policies are the least expensive control to
execute, but the most difficult to implement
Shaping policy is difficult because:
Never conflict with laws
Stand up in court, if challenged
Be properly administered

Principles of Information Security - Chapter 6 Slide # 4

 Definitions
A policy is
A plan or course of action, as of a government, political
party, or business, intended to influence and determine
decisions, actions, and other matters
Policies are organizational laws
Standards, on the other hand, are more detailed statements
of what must be done to comply with policy
Practices, procedures and guidelines effectively explain how
to comply with policy
For a policy to be effective it must be properly disseminated,
read, understood and agreed to by all members of the
organization
Principles of Information Security - Chapter 6 Slide # 5
 Types of Policy
Management defines three types of security
policy:
General or security program policy
Issue-specific security policies
Systems-specific security policies

Principles of Information Security - Chapter 6 Slide # 6

 Policies Standards & Practices

Principles of Information Security - Chapter 6 Slide # 7

 Security Program Policy
A security program policy (SPP) is also
known as a general security policy, IT
security policy, or information security policy
Sets the strategic direction, scope, and tone
for all security efforts within the organization
An executive-level document, usually drafted
by or with, the CIO of the organization and is
usually 2 to 10 pages long

Principles of Information Security - Chapter 6 Slide # 8

Issue-Specific Security Policy (ISSP)
As various technologies and processes are
implemented, certain guidelines are needed to use
them properly
The ISSP:
addresses specific areas of technology
requires frequent updates
contains an issue statement on the organization’s position
on an issue
Three approaches:
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document
Principles of Information Security - Chapter 6 Slide # 9
 Example ISSP Structure
Statement of Policy
Authorized Access and Usage of Equipment
Prohibited Usage of Equipment
Systems Management
Violations of Policy
Policy Review and Modification
Limitations of Liability

Principles of Information Security - Chapter 6 Slide # 10

 Example Policy

Principles of Information Security - Chapter 6 Slide # 11

 Systems-Specific Policy
While issue-specific policies are formalized as
written documents, distributed to users, and agreed
to in writing, SysSPs are frequently codified as
standards and procedures used when configuring or
maintaining systems
Systems-specific policies fall into two groups:
Access control lists (ACLs) consists of the access control
lists, matrices, and capability tables governing the rights
and privileges of a particular user to a particular system
Configuration Rules comprise the specific configuration
codes entered into security systems to guide the
execution of the system

Principles of Information Security - Chapter 6 Slide # 12

 ACL Policies
Both Microsoft Windows NT/2000 and Novell
Netware 5.x/6.x families of systems translate ACLs
into sets of configurations that administrators use to
control access to their respective systems
ACLs allow configuration to restrict access from
anyone and anywhere
ACLs regulate:
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
Principles of Information Security - Chapter 6 Slide # 13
Figure 6-3 – Novell Example ACL

Principles of Information Security - Chapter 6 Slide # 14

 Windows Example ACL

Principles of Information Security - Chapter 6 Slide # 15

 Rule Policies
Rule policies are more specific to the
operation of a system than ACLs
Many security systems require specific
configuration scripts telling the systems what
actions to perform on each set of information
they process

Principles of Information Security - Chapter 6 Slide # 16

 Checkpoint Example

Principles of Information Security - Chapter 6 Slide # 17

 IDS Rules

Principles of Information Security - Chapter 6 Slide # 18

 IDS Rules

Principles of Information Security - Chapter 6 Slide # 19

 Policy Management
Policies are living documents that must be
managed and nurtured, and are constantly
changing and growing
Documents must be properly managed
Special considerations should be made for
organizations undergoing mergers, takeovers and
partnerships
In order to remain viable, policies must have:
an individual responsible for reviews
a schedule of reviews
a method for making recommendations for reviews
an indication of effective and revision date
Principles of Information Security - Chapter 6 Slide # 20
 Automated Policy Management

There is an emergence of a new category of

software for managing information security policies
In recent years, this category has emerged in
response to needs articulated by information
security practitioners
While there have been many software products that
meet specific technical control needs, there is now a
need for software to automate some of the
administration of policy

Principles of Information Security - Chapter 6 Slide # 21

 Information Classification
The classification of information is an important
aspect of policy
The same protection scheme created to prevent
production data from accidental release to the
wrong party should be applied to policies in order to
keep them freely available, but only within the
organization
In today’s open office environments, it may be
beneficial to implement a clean desk policy
A clean desk policy stipulates that at the end of the
business day, all classified information must be
properly stored and secured
Principles of Information Security - Chapter 6 Slide # 22
 Not A Clean Desk

Principles of Information Security - Chapter 6 Slide # 23

 Systems Design
At this point in the Security SDLC, the analysis
phase is complete and the design phase begins –
many work products have been created
Designing a plan for security begins by creating or
validating a security blueprint
Then use the blueprint to plan the tasks to be
accomplished and the order in which to proceed
Setting priorities can follow the recommendations of
published sources, or from published standards
provided by government agencies, or private
consultants
Principles of Information Security - Chapter 6 Slide # 24
 The SecSDLC

Principles of Information Security - Chapter 6 Slide # 25

Information Security Blueprints
One approach is to adapt or adopt a
published model or framework for information
security
A framework is the basic skeletal structure
within which additional detailed planning of
the blueprint can be placed as it is developed
of refined
Experience teaches us that what works well
for one organization may not precisely fit
another
Principles of Information Security - Chapter 6 Slide # 26
 ISO 17799/BS 7799
One of the most widely referenced and often
discussed security models is the Information
Technology – Code of Practice for Information
Security Management, which was originally
published as British Standard 7799
This Code of Practice was adopted as an
international standard by the International
Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) as
ISO/IEC 17799 in 2000 as a framework for
information security
Principles of Information Security - Chapter 6 Slide # 27
 BS7799-2

Principles of Information Security - Chapter 6 Slide # 28

 ISO 17799 / BS 7799
Several countries have not adopted 17799 claiming
there are fundamental problems:
The global information security community has not
defined any justification for a code of practice as identified
in the ISO/IEC 17799
17799 lacks “the necessary measurement precision of a
technical standard”
There is no reason to believe that 17799 is more useful
than any other approach currently available.
17799 is not as complete as other frameworks available
17799 is perceived to have been hurriedly prepared given
the tremendous impact its adoption could have on
industry information security controls
Principles of Information Security - Chapter 6 Slide # 29
 ISO/IEC 17799
Organizational Security Policy is needed to provide
management direction and support
Objectives:
Operational Security Policy
Organizational Security Infrastructure
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operations Management
System Access Control
System Development and Maintenance
Business Continuity Planning
Compliance
Principles of Information Security - Chapter 6 Slide # 30
 NIST Security Models
Another approach available is described in the
many documents available from the Computer
Security Resource Center of the National Institute
for Standards and Technology (csrc.nist.gov) –
Including:
NIST SP 800-12 - The Computer Security Handbook
NIST SP 800-14 - Generally Accepted Principles and
Practices for Securing IT Systems
NIST SP 800-18 - The Guide for Developing Security
Plans for IT Systems

Principles of Information Security - Chapter 6 Slide # 31

 NIST SP 800-14
Security Supports the Mission of the Organization
Security is an Integral Element of Sound Mgmt
Security Should Be Cost-Effective
Systems Owners Have Security Responsibilities Outside
Their Own Organizations
Security Responsibilities and Accountability Should Be Made
Explicit
Security Requires a Comprehensive and Integrated
Approach
Security Should Be Periodically Reassessed
Security is Constrained by Societal Factors
33 Principles enumerated
Principles of Information Security - Chapter 6 Slide # 32
 IETF Security Architecture
While no specific architecture is promoted through
the Internet Engineering Task Force, the Security
Area Working Group acts as an advisory board for
the protocols and areas developed and promoted
through the Internet Society
RFC 2196: Site Security Handbook provides an
overview of five basic areas of security with detailed
discussions on development and implementation
There are chapters on such important topics as
security policies, security technical architecture,
security services, and security incident handling

Principles of Information Security - Chapter 6 Slide # 33

 Visa Model
Visa International promotes strong security
measures and has security guidelines
Developed two important documents that improve
and regulate its information systems
“Security Assessment Process”
“Agreed Upon Procedures”
Using the two documents, a security team can
develop a sound strategy for the design of good
security architecture
The only down side to this approach is the very
specific focus on systems that can or do integrate
with VISA’s systems
Principles of Information Security - Chapter 6 Slide # 34
 Baselining and Best Practices
Baselining and best practices are solid methods for
collecting security practices, but can have the
drawback of providing less detail than would a
complete methodology
It is possible to gain information by baselining and
using best practices and thus work backwards to an
effective design
The Federal Agency Security Practices Site
(fasp.csrc.nist.gov) is designed to provide best
practices for public agencies and adapted easily to
private organizations
Principles of Information Security - Chapter 6 Slide # 35
 Professional Membership
It may be worth the information security
professional’s time and money to join professional
societies with information on best practices for its
members
Many organizations have seminars and classes on
best practices for implementing security
Finding information on security design is the easy
part, sorting through the collected mass of
information, documents, and publications can take a
substantial investment in time and human resources

Principles of Information Security - Chapter 6 Slide # 36

 Hybrid Framework
The framework proposed here is the result of
a detailed analysis of the components of all
the documents, standards, and Web-based
information described in the previous sections
It is offered to the student as a balanced
introductory blueprint for learning the
blueprint development process

Principles of Information Security - Chapter 6 Slide # 37

 NIST SP 800-26
Management Controls
Risk Management
Review of Security Controls
Life Cycle Maintenance
Authorization of Processing (Certification and Accreditation)
System Security Plan
Operational Controls
Personnel Security
Physical Security
Production, Input/Output Controls
Contingency Planning
Hardware and Systems Software
Data Integrity
Documentation
Security Awareness, Training, and Education
Incident Response Capability
Technical Controls
Identification and Authentication
Logical Access Controls
Audit Trails

Principles of Information Security - Chapter 6 Slide # 38

 Spheres of Security

Principles of Information Security - Chapter 6 Slide # 39

 Sphere of Use
Generally speaking, the concept of the sphere is
to represent the 360 degrees of security
necessary to protect information at all times
The first component is the “sphere of use”
Information, at the core of the sphere, is
available for access by members of the
organization and other computer-based systems:
To gain access to the computer systems, one must
either directly access the computer systems or go
through a network connection
To gain access to the network, one must either directly
access the network or go through an Internet
connection
Principles of Information Security - Chapter 6 Slide # 40
 Sphere of Protection
The “sphere of protection” overlays each of the
levels of the “sphere of use” with a layer of security,
protecting that layer from direct or indirect use
through the next layer
The people must become a layer of security, a
human firewall that protects the information from
unauthorized access and use
Information security is therefore designed and
implemented in three layers
policies
people (education, training and awareness programs)
technology
Principles of Information Security - Chapter 6 Slide # 41
 Controls
Management Controls cover security processes that
are designed by the strategic planners and
performed by security administration of the
organization
Operational Controls deal with the operational
functionality of security in the organization
Operational controls also address personnel
security, physical security and the protection of
production inputs and outputs
Technical Controls address those tactical and
technical issues related to designing and
implementing security in the organization
Principles of Information Security - Chapter 6 Slide # 42
 The Framework
Management Controls Technical Controls
Program Management Logical Access Controls
System Security Plan Identification, Authentication,
Life Cycle Maintenance Authorization and Accountability
Risk Management Audit Trails
Review of Security Controls Asset Classification and Control
Legal Compliance
Cryptography
Operational Controls
Contingency Planning
Security ETA
Personnel Security
Physical Security
Production Inputs and Outputs
Hardware & Software Systems
Maintenance
Data Integrity

Principles of Information Security - Chapter 6 Slide # 43

 SETA
As soon as the policies exist, policies to implement
security education, training and awareness (SETA)
should follow
SETA is a control measure designed to reduce
accidental security breaches
Supplement the general education and training
programs in place to educate staff on information
security.
Security education and training builds on the
general knowledge the employees must possess to
do their jobs, familiarizing them with the way to do
their jobs securely
Principles of Information Security - Chapter 6 Slide # 44
 SETA Elements
The SETA program consists of three elements
security education
security training
and security awareness
The organization may not be capable or willing to undertake
all three of these elements but may outsource them
The purpose of SETA is to enhance security by:
Improving awareness of the need to protect system
resources
Developing skills and knowledge so computer users can
perform their jobs more securely
Building in-depth knowledge, as needed, to design,
implement, or operate security programs for organizations
and systems.

Principles of Information Security - Chapter 6 Slide # 45

 SETA

Principles of Information Security - Chapter 6 Slide # 46

 Security Education
Everyone in an organization needs to be trained
and aware of information security, but not every
member of the organization needs a formal degree
or certificate in information security
When formal education for appropriate individuals in
security is needed an employee can identify
curriculum available from local institutions of higher
learning or continuing education
A number of universities have formal coursework in
information security
(See for example http://infosec.kennesaw.edu).

Principles of Information Security - Chapter 6 Slide # 47

 Security Training
Security training involves providing members
of the organization with detailed information
and hands-on instruction designed to prepare
them to perform their duties securely
Management of information security can
develop customized in-house training or
outsource the training program

Principles of Information Security - Chapter 6 Slide # 48

 Security Awareness
One of the least frequently implemented, but
the most beneficial programs is the security
awareness program
Designed to keep information security at the
forefront of the users’ minds
Need not be complicated or expensive
If the program is not actively implemented,
employees begin to ‘tune out’, and the risk of
employee accidents and failures increases

Principles of Information Security - Chapter 6 Slide # 49

 Awareness at KSU

Principles of Information Security - Chapter 6 Slide # 50

 Comments
Defense in Depth
One of the foundations of security architectures is the
requirement to implement security in layers
Defense in depth requires that the organization establish
sufficient security controls and safeguards, so that an
intruder faces multiple layers of controls
Security Perimeter
The point at which an organization’s security protection
ends, and the outside world begins
Referred to as the security perimeter
Unfortunately the perimeter does not apply to internal
attacks from employee threats, or on-site physical threats

Principles of Information Security - Chapter 6 Slide # 51

 Defense in Depth

Principles of Information Security - Chapter 6 Slide # 52

 Perimeters and Domains

Principles of Information Security - Chapter 6 Slide # 53

 Key Technology Components
Other key technology components
A firewall is a device that selectively discriminates against
information flowing into or out of the organization
The DMZ (demilitarized zone) is a no-man’s land,
between the inside and outside networks, where some
organizations place Web servers
In an effort to detect unauthorized activity within the inner
network, or on individual machines, an organization may
wish to implement Intrusion Detection Systems or IDS

Principles of Information Security - Chapter 6 Slide # 54

 Key Components

Principles of Information Security - Chapter 6 Slide # 55

 IDS

Principles of Information Security - Chapter 6 Slide # 56