INFORMATION SECURITY

MANAGEMENT

LECTURE 2:
PLANNING FOR SECURITY
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
Outline and Review

• Introduction to Information Security

• CIA Triangle and Extensions
• Principles of Information Security Management

• Planning for Information Security

Principles of Information Security Mgmt
Include the following characteristics that will be the
focus of the current course (six P’s):
1. Planning Chapters 2 & 3
2. Policy
3. Programs
4. Protection
5. People
6. Project Management

http://csrc.nist.gov/publications/PubsTC.html
 Information Security Planning

Figure 2-1 Information Security and Planning

Source: Course Technology/Cengage Learning

The Role of Planning

• Successful organizations utilize planning

• Planning involves
– Employees
– Management
– Stockholders
– Other outside stakeholders
– The physical and technological environment
– The political and legal environment
– The competitive environment
The Role of Planning (cont’d.)

• Strategic planning includes:

– Vision statement
– Mission statement
– Strategy
– Coordinated plans for sub units
Precursors to Planning

• Values Statement
• Establishes organizational principles

• Vision Statement
• What the organization wants to become

• Mission Statement
• what the organization does and for whom

The values, vision, and mission statements together

provide the foundation for planning
Strategic Planning

• Strategy is the basis for long-term direction

• Strategic planning guides organizational efforts
Planning Levels

• Strategic goals are translated into tasks

• Objectives should be SMART

• Strategic planning then begins a transformation from

general to specific objectives
Planning Levels (cont’d.)

Strategic Planning

Tactical Planning

Operational Planning
Planning and the CISO

• Elements of a strategic plan

– Executive summary
– Mission statement and vision statement
– Organizational profile and history
– Strategic issues and core values
– Program goals and objectives
– Management/operations goals and objectives
– Appendices (optional)
Information Security Governance

• Governance of information security is a strategic

planning responsibility
– Importance has grown in recent years

• Information security objectives must be addressed at the

highest levels of an organization's management team
– To be effective and offer a sustainable approach
Desired Outcomes

Strategic alignment

Risk management

Resource management

Performance measurement

Value delivery
Implementing Information Security Governance

Figure 2-6 General Governance Framework

Source: IDEAL is a service mark of Carnegie Mellon

University
Implementing Information Security Governance
(cont’d.)

Figure 2-7 The IDEAL model governance framework

Source: IDEAL is a service mark of Carnegie Mellon
University
GRC Article 1: Forrestor’s Framework

• Lines of Defense

• Stakeholder Contributions and Expectations

Planning for Information Security Implementation

Source: Information Security Governance: A Call to

Action
Planning For Information Security Implementation

• Implementation can begin

– After plan has been translated into IT and information security
objectives and tactical and operational plans

• Methods of implementation
– Bottom-up
– Top-down
Planning For Information Security Implementation
(cont’d.)

Source: Course Technology/Cengage learning

Article 3: Business Problem, not IT
• Drivers of Resolving Vulnerabilities

• CEO Questions about cyber risks

System Development Life Cycle
• A methodology for the design/implementation of an
information system

• SecSDLC methodology is similar to SDLC

Security Systems Development Life Cycle
Identification of specific threats and the risks they represent

Design and implementation of specific controls to counter

those threats and manage risks posed to the organization
SecSDLC: Investigation
Phase begins with directive from management specifying the
process, outcomes, and goals of the project and its budget

Feasibility analysis
• Determines whether the organization has the resources and
commitment to conduct a successful security analysis and
design
SecSDLC: Analysis
Prepare analysis of existing security policies and programs, along
with known threats and current controls

Analyze relevant legal issues that could affect the design of the
security solution
SecSDLC: Analysis
Prepare analysis of existing security policies and programs, along
with known threats and current controls

Analyze relevant legal issues that could affect the design of the
security solution

Table 2-1 Threats to Information Security

SecSDLC Analysis: Threats to Information Security

Exploit

Vulnerability Attack

Ex. Java Vulnerability Patch

….and a week later
SecSDLC Analysis: Common Attacks
– Malicious code – Spoofing
– Hoaxes – Man-in-the-middle
– Back doors – Spam
– Password crack – Mail bombing
– Brute force – Sniffer
– Dictionary
– Social engineering
– Denial-of-service (DoS)
and distributed denial-
– Buffer overflow
of-service (DDoS) – Timing
SecSDLC Analysis: Risk Management
• Prioritize the risk posed by each category of threat

• Identify and assess the value of your information assets

– Assign a comparative risk rating or score to each specific
information asset
SecSDLC: Design
• Design in the SecSDLC
– Create and develop a blueprint for security
– Examine and implement key policies
– Evaluate the technology needed to support the security blueprint
– Generate alternative solutions
– Agree upon a final design

• Security models may be used to guide the design process

SecSDLC: Design
• A critical design element of the information security
program is the information security policy

• Management must define the types of security policy

• Integral part of design: SETA program

– Consists of: Security education, security training, and security
awareness
– Purpose: enhance security
SecSDLC: Design
• Design controls and safeguards
– Used to protect information from attacks by threats

• Design controls and safeguards (Categories):

1. Managerial controls
2. Operational controls
3. Technical controls
SecSDLC: Design
SecSDLC: Design
• Contingency planning (Chapter 3)
– Prepare, react and recover from circumstances that threaten the
organization

• Types of contingency planning

– Incident response planning (IRP)
– Disaster recovery planning (DRP)
– Business continuity planning (BCP)
SecSDLC: Design
• Physical security
– Design, implementation, and maintenance of countermeasures
that protect the physical resources of an organization

• Physical resources include

– People
– Hardware
– Supporting information system elements
SecSDLC: Implementation
Security solutions are acquired, tested, implemented, and tested
again

Personnel issues are evaluated and specific training and education

programs conducted
SecSDLC: Maintenance
Once program is implemented, it must be:
• Operated
• Properly managed
• Timely (i.e. up to date using established procedures)

If the program is not adjusting adequately to the changes in the

internal or external environment, it may be necessary to begin the
cycle again
 SecSDLC: Maintenance
• Aspects of a maintenance model
– External monitoring
– Internal monitoring
– Planning and risk assessment
– Vulnerability assessment and remediation
– Readiness and review
– Vulnerability assessment
SecSDLC: Maintenance
• Security program management (Chapter 6)
– A formal management standard can provide some insight into the
processes and procedures needed

– Examples include the BS7799 / ISO17799 / ISO27xxx model or

the NIST models described earlier
Article 2: Dealing with GRC

• GRC in an increasingly complex, information-centric

world

• Challenges

• Suggestions

• Building a GRC Platform

Summary

• Information security governance

• Planning for information security implementation
• Introduction to the security systems
development life cycle