Chapter Seven

Administering security
Overview
 So far we have learned how to achieve security, protecting programs,
operating systems, databases, and networks, using technology
(technical controls)
 While this is essential, but not all of security and privacy issues are
addressed by technology
 Security controls are combination of
o Technical controls
o Administrative controls
o Physical controls

04/20/2024 Compiled by: Naol G. (MSc.) 2

Security planning
 Every organization using computing resources should perform
thorough and effective security planning
 A security plan is a document that describes how an organization
will address its security needs, specifying its security goals, and
how to achieve them
 The plan should be reviewed and revised periodically
Security policies
(Constraints)

Security Planning Security Plan

Requirements
Process

Security Techniques and controls

(Mechanisms)
04/20/2024 Compiled by: Naol G. (MSc.) 3
Contents of a Security Plan
 A security plan identifies and organizes the security activities for a
computing system
 The plan is both a description of the current situation and a plan for
improvement
 Every security plan must address seven issues:
o Policy: A security policy is a high-level statement of purpose and
intent, specifying goals, responsibility, and commitment
o Current state: describing the status of security at the time of the
plan, e.g., current assets, vulnerabilities, responsibilities.
o Requirements: specifying the needs that the organization has,
e.g., who is allowed/not allowed, what logs should be kept, etc.

04/20/2024 Compiled by: Naol G. (MSc.) 4

Contents of a Security Plan /Cont…
o Recommended controls: mapping controls to the vulnerabilities
identified in the current state and requirements in the light of the
security policy
o Accountability: describing who is responsible for each security
activity in the case of failure, e.g., specifying responsibilities for
desktop users, DB admins, network admins, CSO, CIO, etc.
o Timetable: identifying when different security functions are to be
done, e.g., procurement of HW, installation, operations, and
maintenance, etc.
o Continuing attention: specifying a structure for periodically updating
the security plan, as the state of the world, technology,
vulnerabilities is not static!

04/20/2024 Compiled by: Naol G. (MSc.) 5

Risk Analysis
 A risk is a potential problem that the system or its users may experience
 Risk analysis is the process of examining a system and its operational
context to determine possible exposures and the potential harm they
can cause
 Three strategies for dealing with risk
o Risk avoidance: by changing requirements for security or other
system characteristics
o Risk transference: by allocating the risk to other systems, people,
organizations, or assets; or by buying insurance to cover any
financial loss should the risk become a reality
o Risk acceptance: by accepting it, controlling it with available
resources, and preparing to deal with the loss if it occurs

04/20/2024 Compiled by: Naol G. (MSc.) 6

Risk Analysis /Cont…
Risk analysis usually comprises the following steps:
 Identify assets
o what we need to protect
 Determine vulnerabilities
o predict what damage might occur to the assets and from what sources
 Estimate likelihood of exploitation
o how often each exposure is likely to be exploited
 Compute expected loss
o determine the likely loss if the exploitation does indeed occur
 Survey applicable controls
o see which controls address the risks identified in previous steps
 Project savings due to control
o determine whether the costs outweigh the benefits of preventing or mitigating the
risks

04/20/2024 Compiled by: Naol G. (MSc.) 7

Security Policies
 A security policy is a high-level management document to inform all
users of the goals of and constraints on using a system
 A security policy must answer three questions: who can access which
resources in what manner?
 Characteristics of a good security policy
o Coverage: a security policy must be comprehensive, and general
enough to apply to new cases
o Durability: a security policy must grow and adapt well
o Realism: it must be possible to implement the stated security
requirements with existing technology
o Usefulness: it must be clear, direct, and understood

04/20/2024 Compiled by: Naol G. (MSc.) 8

Security Policies /Cont…
Examples
 "Each security officer shall . . . perform a risk assessment to identify and
document specific . . . assets, . . . threats, . . . and vulnerability . . .”
 “Vendors and system developers are responsible for providing systems
which are sound and which embody adequate security controls

04/20/2024 Compiled by: Naol G. (MSc.) 9

Physical Security
 There are many threats to security that involve human or natural disasters
 Humans:
o Thieves, vandals, etc.
 Natural:
o Fire, flood, hurricanes, storms, etc.
 Physical security is the term used to describe protection needed outside
the computer system
 Typical physical security controls include guards, locks, CCTVs, backups,
and fences to deter direct attacks
 The primary physical controls are strength and duplication
o Strength means overlapping controls implementing a defense-in-depth
approach so that if one control fails, the next one will protect
o Duplication means having redundant copies of data, spare hardware
components, etc.

04/20/2024 Compiled by: Naol G. (MSc.) 10

Ethics and Information Security
 Ethics: define socially acceptable behaviour
 Many professional groups have explicit rules governing ethical
behavior in the workplace
 Professional associations and certification agencies work to establish
codes of ethics
o Can prescribe ethical conduct (Code of conduct and Code of
practice)
o Do not always have the ability to ban violators from practice in
field

04/20/2024 Compiled by: Naol G. (MSc.) 11

Ethical Differences Across Cultures
 Cultural differences create difficulty in determining what is and what is
not ethical
 Difficulties arise when one nationality’s ethical behavior conflicts with
ethics of another national group
 Scenarios are grouped into
o Software License Infringement
o Illicit (illegal) Use
o Misuse of Corporate Resources
 Cultures have different views on the scenarios

04/20/2024 Compiled by: Naol G. (MSc.) 12

Ethics and Education
 Overriding factor in levelling ethical perceptions within a
population is education
 Employees must be trained in expected behaviors of an ethical
employee, especially in areas of information security
 Proper ethical training is vital to creating informed, well
prepared, and low-risk system user

04/20/2024 Compiled by: Naol G. (MSc.) 13

Deterring Unethical and Illegal Behavior
 Three general causes of unethical and illegal behavior:
ignorance, accident, intent
 Deterrence: best method for preventing an illegal or unethical
activity; e.g., laws, policies, technical controls
 Laws and policies only deter if three conditions are present
o Fear of penalty
o Probability of being caught
o Probability of penalty being administered

04/20/2024 Compiled by: Naol G. (MSc.) 14

 End of Chapter-7
Questions?
Read More…..

04/20/2024 Compiled by: Naol G. (MSc.) 15