1 / 38

Informations System Security Comprehensive Model NSTISSI 4011

Informations System Security Comprehensive Model NSTISSI 4011. COEN 250 Fall 2007 T. Schwarz, S.J. Information System Security. Main Goals: CIA C onfidentiality I ntegrity A vailability. Information System Security. Confidentiality

pamela-green
Télécharger la présentation

Informations System Security Comprehensive Model NSTISSI 4011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Informations System SecurityComprehensive ModelNSTISSI 4011 COEN 250 Fall 2007 T. Schwarz, S.J.

  2. Information System Security • Main Goals: CIA • Confidentiality • Integrity • Availability

  3. Information System Security • Confidentiality • Security Policy: Set of rules that determines whether a given subject can gain access to a specific object • Confidentiality: Assurance that access controls are enforced

  4. Information System Security • Integrity • Quality of information that identifies how closely the data represent reality

  5. Information System Security • Availability • Information is provided to authorized users when it is requested

  6. Information System Security • Information States • Transmission • Storage • Processing

  7. Information System Security • Security Measures • Technology • Policy and Practice • Policy: Formulation of Security Posture • Practice: Procedures followed to enhance security posture. • Education, Training, Awareness

  8. Information System Security Education, Training, Awareness Procedures and Policies Technology Confidentiality Integrity Availability Transmission, Storage, Processing Three axes of ISS

  9. NTISSI 4011 Training Standards • Awareness • Creates sensitivity to threats and vulnerabilities of national security information systems • Recognition of the need to protect data, information, and the means of processing • Building working knowledge of principles and practices of INFOSEC • Performance Level • Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices

  10. Elements of Computer Security • Computer security should support the mission of the organization • Computer security is an integral element of sound management • Computer security should be cost effective • Computer security responsibilities and accountability should be made explicit • System owners have computer security responsibilities outside their own organizations • Computer security requires a comprehensive and integrated approach • Computer security should be periodically reassessed • Computer security is constrained by societal factors. NIST 800-12

  11. Common Threats • Errors and Omissions • Users • Entry clerks • System operators • Software engineers • Fraud and Theft • Insiders / outsiders • Computer as tools / targets • Employee sabotage • Loss of physical / infrastructure support • Malicious hacking • Espionage • Industrial / foreign government • Malicious codes • Privacy

  12. Management Controls • Computer Security Policy • Definition of term • “Documentation of computer security decisions.” • But term encompasses wide range of meanings. • Three basic types • Program policy • creates an organization’s computer security program • Issue specific policies • address specific issues such as use of crypto, private use of equipment, software installation, etc. • System specific policies • focuses on a single system

  13. Management Controls • Tools to implement policy • Standards • specify uniform use of specific technologies • e.g. organization-wide identification badges • Guidelines • assists users, systems personnel, etc in effectively securing a system • Procedures • normally assist in complying with applicable security policies, standards, and guidelines

  14. Management Controls • Program Policy • Head of organization issues program policy to establish the org.’s computer security program. • Basic Components • Purpose • Scope • Responsibility • assigned to a newly created or existing office • establishes roles of officials and offices in the org. • Compliance • General compliance, e.g. specifying an oversight office • Use of specific penalties and disciplinary actions • A policy usually only creates the structure

  15. Management Controls • Issue-specific Policy • Applies to a specific issue such as • Internet Access • E-mail Privacy • Use of unofficial software • Basic Components • Issue statement • Define issue with any relevant terms, distinctions, conditions • Statement of org.’s position on issue • Applicability • Roles and responsibilities • Compliance • Points of contact and supplementary information

  16. Management Controls • System Specific Policies • Components • Security objectives • concrete • well defined • Operational security rules • Rules for operating a system: Who can do what to which specific classes and records of data, under what conditions • Often accompanied by implementing procedures and guidelines

  17. Management Controls • System specific policy implementations • Technology plays not the sole role in enforcing system-specific policies • Technology: limits printing of confidential information to a specific printer • Non-technology: access to printer output is guarded

  18. Management ControlsComputer Security Program Management • OMB Circular A-130 establishes requirement for federal agencies to establish computer security programs • Federal agencies are complex: • Management occurs at different levels, at least • Centralized level • System level

  19. Management ControlsComputer Security Program Management Sources of (Some) Requirements forFederal Unclassified Computer Security Programs A federal agency computer security program is created and operates in an environment rich in guidance and direction from other organizations. The figure illustrates some of the external sources of requirements and guidance directed toward agency management with regard to computer security. While a full discussion of each is outside the scope of this chapter, it is important to realize that a program does not operate in a vacuum; federal organizations are constrained - by both statute and regulation - in a number of ways.

  20. Management ControlsComputer Security Program Management Example for placement of computer security program level and system level functions

  21. Management ControlsComputer Security Risk Management • Basic assumption: Computers can never be fully secured • Risk Assessment • Process of analyzing and interpreting risk • 3 basic activities • Determining assessment scope and methodology • Collecting and analyzing data • Interpreting risk analysis results

  22. Management ControlsComputer Security Risk Management • Components of Risk Assessment • Asset Valuation • Consequence Assessment • Threat Identification • Vulnerabilities • Safeguards • Likelihood

  23. Management ControlsAssurance • Assurance • Degree of confidence that the security measures work as intended to protect system and information • Not a measurement • Accreditation • Management official’s formal acceptance of adequacy of a system’s security • Components • Technical features • Do they operate as intended? • Operational practices • Is the system operated according to stated procedures? • Overall security • Are there threats that are not addressed? • Remaining risks • Acceptability?

  24. Operational ControlsPersonnel / User Issues • Two principles • Separation of duties • Least privilege • Staffing • Job definition • Sensitivity determination • Filling position • Screening applicants • Selecting individual • Training and Awareness Creation

  25. Operational ControlsPersonnel / User Issues • User Administration • User account management • Identification • Authentication • Access Verification • Auditing • Verify periodically legitimacy of current accounts and access authorizations • Modification / Removal of Access • Contractor Access Management • Public Access Considerations

  26. Operational ControlsContingency & Disaster Preparation • Contingency planning in six steps • Identification of mission-critical functions • Identification of resources that support critical functions • Anticipation of potential contingencies / disasters • Selecting contingency planning strategies • Implementing contingency strategies • Testing and revisiting strategies

  27. Operational ControlsIncident Response • Incident Response: Actions taken to deal with an incident. Detection Countermeasures Incident Response: Containment & Repair

  28. Operational Controls Incident Response • Establishment of Successful Incident Handling Capability • Components • Understanding of constituency • Education of constituency • Centralized communication • Expertise in requisite technology • Links to other groups assisting in incident handling, as needed • Technical support • Nationwide / worldwide reporting facility for incidents • Rapid communications • Secure communications for incidents involving national security

  29. Operational ControlsAwareness, Training, & Education • Basic premise: people are fallible • Two main benefits • Improvement of employment behavior • Buy-in • Knowledge and skills • Increased ability to hold employees accountable • Dissemination and enforcement of policies presupposes awareness

  30. Operational Controls Awareness, Training, & Education • Awareness • “What” • Information • Training • “How” • Knowledge • Education • “Why” • Insight

  31. Operational ControlsSecurity Considerations in Computer Support and Operations • Computer Support and Operations • Everything done to run a computer system • User support – Help desk • Needs to recognize which problems are security related • Example: Failed login can result from logout caused by hacker running a password guessing attack • Software support • Control of software used on a system • Software can only be modified with proper authorization

  32. Operational ControlsSecurity Considerations in Computer Support and Operations • Configuration Management • Goal: to ensure that changes to the system do not unintentionally or unknowingly diminish security • Backups • critical for contingency planning • Media control • Provide physical and environmental protection and accountability for removable media • Documentation • Maintenance

  33. Operational ControlsPhysical and Environmental Security • Protect computer systems from • Interruptions in providing computer services • Physical damage • Unauthorized access of information • Example: Tempest program • Loss of control over system • Physical theft • Mobile and portable systems present new range of issues

  34. Technical ControlsIdentification and Authentication • Identification: • Means by which a user provides a claimed identity to the system • Authentication • Means of establishing the validity of the claim • Identification and Authentication based on • What you know. • E.g. password, pass-phrase, (secret key, private key). • What you have. • Physical key, smart card. • What you are. • Biometrics. • Where you are. • E.g. trusted machine, access to room, …

  35. Technical ControlsLogical Access Control • Access • Ability to do something with a computing resource • Access control • Means by which this ability is explicitly enabled or restricted • Not to be confused with • Authorization • Permission to use computer resource • Authentication • Proof of identity

  36. Technical ControlsLogical Access Control • Access Criteria typically based on • Identity • Roles • Location • Time • Personnel files only accessible during normal business hours • Transactions • Phone inquiry answered by computer • Computer authenticates inquirer • If too complicated, requires human clerk to answer • Computer grants clerk permission to access inquirer’s record for the duration of the transaction

  37. Technical ControlsAudit Trails • Audit Trail • Series of records of computer events • Auditing • Review and analysis of management, operational, and technical controls • Establishing audit trails helps to establish • Individual accountability • Reconstruction of events • Intrusion detection • Problem analysis

  38. Technical ControlsCryptography • Tool to establish C, I, & A • Relies on technology and key management

More Related