Comprehensive Information Security Planning and Principles Overview
Dive into the world of information security with a detailed exploration of security planning, principles, goals, and key concepts. Learn about access control techniques, authentication combinations, biometric data, elements of BLP, military security policies, backup strategies, and more. Discover the significance of CIA triad, confidentiality, integrity, availability, and conformity to law and privacy requirements. Gain insights into important security principles such as need-to-know, least privilege, segregation of duties, and privacy considerations.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Designing Information Security Security Planning Susan Lincke
Security Planning: An Applied Approach | 9/20/2024 | 2 Objectives Student should know: Define information security principles: need-to-know, least privilege, segregation of duties, privacy, zero trust Define information security management positions: data owner, data custodians, security administrator Define access control techniques: mandatory, discretionary, role-based, physical, single sign-on Define authentication combination: single factor, two factor, three factor multifactor Define Biometric: FRR, FAR, FER, EER Define elements of BLP: read down, write up, tranquility principle, declassification Define military security policy: level of trust, confidentiality principle Define backup rotation, incremental backup, differential backup, degauss, audit trail, audit reduction, criticality classification, sensitivity classification Develop an information security classification scheme that addresses confidentiality and availability
Security Planning: An Applied Approach | 9/20/2024 | 3 Information Security Goals: CIA Confidentiality CIA Triad Integrity Availability Conformity to Law & Privacy Requirements
Security Planning: An Applied Approach | 9/20/2024 | 4 Information Security Principles Need-to-know: Persons should have ability to access data sufficient to perform primary job and no more Least Privilege: Persons should have ability to do tasks sufficient to perform primary job and no more Segregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability Retain records for short time Personnel office should change permissions as jobs change
Security Planning: An Applied Approach | 9/20/2024 | 5 Review: State Breach Law Protects Restricted data generally includes: Social Security Number Driver s license # or state ID # Financial account number (credit/debit) and access code/password DNA profile (Statute 939.74) Biometric data Some states & HIPAA protects: Health status, treatment, or payment
Security Planning: An Applied Approach | 9/20/2024 | 6 President Chief Privacy Officer Protect customer & employee rights Chief Info Sec. Officer Creates and maintains a sec. program Chief Sec. Officer Physical Security Chief Info. Officer Manages Info. Technology Business Executive Data Process Owner Responsible for security of process Security Admin Administrates computer & network security Security Architect Design/ impl. policies & procedures IS Auditor Independent assurance of sec. objectives & controls Custodian Maintains and protects data: Backup/restore/ monitor/test Data Owner Responsible for security of data Some positions may be merged
Security Planning: An Applied Approach | 9/20/2024 | 7 Information Owner or Data Owner Is responsible for the data within business (mgr/director - not IS staff) Identifies and classifies data (working with IS) Determines who can have access to data and may grant permissions directly OR Gives written permission for access directly to security administrator, to prevent mishandling or alteration Periodically reviews authorization to restrict authorization creep Responsible for security of data from inception to destruction
Security Planning: An Applied Approach | 9/20/2024 | 8 Other Positions Data Custodian IS (security or IT) employee who safeguards the data Performs backup/restore Verifies integrity of data Documents activities May be System Administrator Security Administrator Allocates access to employees based on written documentation Monitors access to terminals and applications Monitors invalid login attempts Prepares security reports
Security Planning: An Applied Approach | 9/20/2024 | 9 Data User Access authorized by data owners Trained at hire and regularly in: Follow password policies: secret and complex Maintain physical security: locked doors, locked terminal screens when absent Conform to regulations and internal policies Report suspected security violations Use IT for appropriate business purposes
Security Planning: An Applied Approach | 9/20/2024 | 10 Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls
Security Planning: An Applied Approach | 9/20/2024 | 11 Planning for Information Security Step 1: Classify Data for CIA Step 2: Allocate Controls Step 3: Allocate Roles & Permissions
Security Planning: An Applied Approach | 9/20/2024 | 12 Criticality Classification Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low Vital $$: Can be performed manually for very short time Sensitive $: Can be performed manually for a period of time, but may cost more in staff Nonsensitive : Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
Security Planning: An Applied Approach | 9/20/2024 | 13 Sensitivity Classification (Example) Proprietary: Strategic Plan Confidential: Salary & Health Info Information Systems Privileged: Product Plans Internal Public Product Users Manual near Release
Security Planning: An Applied Approach | 9/20/2024 | 14 Sensitivity Classification Workbook Sensitivity Classification Proprietary Description Information Covered Protects competitive edge. Material is of critical strategic importance to the company. Dissemination could result in serious financial impact. Information protected by FERPA, PCI-DSS and breach notification law. Shall be available on a need-to-know basis only. Dissemination could result in financial liability or reputation loss. Should be accessible to management or for use with specific parties. Could cause internal strife or divulge trade secrets if released. Disclosure is not welcome, but would not adversely impact the organization Student information & grades, Payment card information, Employee information Confidential Professor research, Student homework, Budgets Privileged Teaching lectures Public
Security Planning: An Applied Approach | 9/20/2024 | 15 Work book Information Asset Inventory Asset Name Course Registration Records which students are taking which classes Value to Organization IS Main Center Location Sensitive, Vital Security Risk Classification Regisoft IS Server Registrar: Monica Jones Data Owner IS Operations: John Johnson Designated Custodian Login/Password Authentication: Complex passwords, changed annually. Logs: Staff access to student records Granted Permissions
Security Planning: An Applied Approach | 9/20/2024 | 16 Allocate Controls Step 1: Classify Data for CIA Step 2: Allocate Controls Step 3: Allocate Roles & Permissions Control Systems Authentication Access Controls Complex passwords, multifactor authentication, biometric systems. Mandatory, role based, attribute based, physical and/or discretionary access control Logs, transaction audit trails, attack signature detection, trend variance detection Checking policies, processes, staff awareness and security training via official audits; management reports monitor accountability Accountability Audit
Security Planning: An Applied Approach | 9/20/2024 | 17 Data Classification How do we mark classified information? How do we determine which data should be classified to which class? How do we store, transport, handle, archive classified information? How do we dispose of classified data? What does the law say about handling this information? Who has authority to determine who gets access, and what approvals are needed for access?
Security Planning: An Applied Approach | 9/20/2024 | 18 Handling of Sensitive Data Workbook Confidential Access Need to know, Least privilege Privileged Need to know, least privilege Locked cabinet, Locked room if unattended Password- protected, Encrypted Clean desk, low voice Encrypted Public Need to know Locked room if unattended Password- Protected Locked cabinet, Locked room if unattended Paper Storage Password-protected, Encrypted Disk Storage Label Confidential , Clean desk, low voice, No SSNs, ID required Encrypted None Labeling & Handling Transmission/ Migration Data Warehousing Archive & Retention Encrypted De-identification occurs through summary reports based on course summaries or major summaries Encrypted backups Grades retained online 2 years after graduation; afterwards maintained offline. Other information retained only for 6 months after graduation; 1 year after absence. Degauss and damage disks - Shred paper Encrypted backups None Disposal & Destruction Special Notes Secure wipe Shred paper Reformat disks When a student asks, email of grades for one student is permitted with email security notice appended.
Security Planning: An Applied Approach | 9/20/2024 | 19 Storage & Destruction of Confidential Information Repair Remove memory before sending out for repair Disposing of Media Meet record-retention schedules Reformat disk Use Secure wipe tool ****If highly secure***** Degauss = demagnetize Physical destruction Storage Encrypt sensitive data Avoid touching media surface Keep out of direct sunlight Keep free of dust & liquids in firm container best Avoid magnetic, radio, or vibrating fields Use anti-static bags for disks Avoid spikes in temperature for disks; bring to room temperature before use Write protect magnetic media Store tapes vertically
Security Planning: An Applied Approach | 9/20/2024 | 20 Four Layers of Logical Security System 1 System 2 App1 Database App2 Two layers of general access to Networks and Systems Two layers of granularity of control to Applications and Databases
Security Planning: An Applied Approach | 9/20/2024 | 21 Authentication: Password Rules One-way encrypted using a strong algorithm Never displayed (except ***) Never written down and retained near terminal or in desk Passwords should be changed every 30 days, by notifying user in advance A history of passwords should prevent user from using same password in 1 year Passwords should be >= 8 (better 12) characters, including 3 of: alpha, numeric, upper/lower case, and special characters Passwords should not be identifiable with user, e.g., family member or pet name
Security Planning: An Applied Approach | 9/20/2024 | 22 Authentication Combinations Authentication: ensures that systems accurately identify a user on the system. Authorization: determines permissions: what known user can do Single Factor: Something you know Login & Password Multifactor Authentication: Using two or more authentication methods. Two Factor: Add one of: Something you have: Card or ID Something you are or do: Biometric Three Factor: Uses all three: e.g., badge, thumb, pass code
Security Planning: An Applied Approach | 9/20/2024 | 23 Biometrics Biometrics: Who you are or what you do Susceptible to error False Rejection Rate (FRR): Rate of users rejected in error False Acceptance Rate (FAR): Rate of users accepted in error Failure to Enroll Rate (FER): Rate of users who failed to successfully register Equal Error Rate EER: FAR increases FRR increases FRR = FAR
Security Planning: An Applied Approach | 9/20/2024 | 24 Biometrics: Considerations Considerations for different types of biometrics include: Accuracy: Palm, hand, iris, retina have low EER rates. Acceptability: Some techniques are deemed invasive, such as retina scanning, where the eye needs to be less than an inch from the reader. Also, physical contact at public readers may be less acceptable. Cost, storage: Complexity and storage requirements per user identity vary by biometric type. Reliability: Injuries may affect fingerprint recognition; a cold may hamper voice recognition. Replay may be possible (e.g., voice recognition). Variability: Biometrics does not change for people and if biometrics are stolen, identity is stolen. While voice and signature recognition may change to use different pass phrases, deep fakes may even hamper those technologies.
Security Planning: An Applied Approach | 9/20/2024 | 25 Biometrics with Best Response & Lowest EER Type (Top Best) Advantages Disadvantages Social acceptance Physical contact Palm Social acceptance, low storage Not unique, injury affects Hand (3D) No direct contact High cost, high storage Iris Low FAR High cost, 1-2 cm away: invasive Retina Low cost, More storage=Lower EER Physical contact-> grime ->poor quality image Fingerprint High storage, playback, voice change, background noise Phone use, social acceptance Voice Uniqueness, writing onto tablet differs from paper Easy to use, low cost Signature Not unique, overcome with high storage Social acceptance CISA Review Manual 2009 Face
Security Planning: An Applied Approach | 9/20/2024 | 26 Biometric Info Mgmt & Security Policy Identification & authentication procedures Backup authentication Safe transmission/storage of biometric data Security of physical hardware Validation testing Auditors should ensure documentation & use is professional
Security Planning: An Applied Approach | 9/20/2024 | 27 Single Sign On Advantages Disadvantages One good password replaces lots of passwords Single point of failure -> total compromise IDs consistent throughout system(s) Complex software development due to diverse OS Reduced admin work in setup & forgotten passwords Expensive implementation Quick access to systems App1 DB2 App3 Secondary Domains Enter Password Primary Domain (System)
Security Planning: An Applied Approach | 9/20/2024 | 28 Recommended Password Allocation Security System User User allocated random password or sent email w. link Subsequent Logins New pass login: set password Account [unlocked] [Forgot Password] [Invalid password Attempts] Account [locked] Enter 5 invalid passwords [Manual] [Auto Timeout] Send new password email Request new password System automatically unlocks Account [unlocked]
Security Planning: An Applied Approach | 9/20/2024 | 29 Admin & Login ID Rules Restrict number of admin accounts Admin password should only be known by one user Admin accounts should never be locked out, whereas others are Admin password can be kept in locked cabinet in sealed envelope, where top manager has key Login IDs should follow a confidential internal naming rule Common accounts: Guest, Administrator, Admin should be renamed Session time out should require password re-entry
Security Planning: An Applied Approach | 9/20/2024 | 30 Authorization: Access Control Techniques Mandatory Access Control Discretionary Access Control File A B C D E User John June May Al Don Group Permi Mgmt Billing Factory r x, r x Billing Billing John A, B, C, D, E, F rwx, r x , r June A, B, C May D, E, F Role-Based Access Control Al Don B, C Pat D, F Tom E, F Login John June Al May Pat Role Mgr Acct. Acct. Factory D,E,F Factory D,E,F Permission A, B,C,D,E,F A,B,C A,B,C A, B Tim E
Security Planning: An Applied Approach | 9/20/2024 | 31 Access Control Techniques Mandatory Access Control: General (system-determined) access control Discretionary Access Control: Person with permissions controls access Role-Based Access Control: Access control determined by role in organization RBAC s advantage is simplicity: all members with a given role have identical permissions and quick implementation, since multiple users assigned as a group Physical Access Control: Locks, fences, biometrics, badges, keys
Security Planning: An Applied Approach | 9/20/2024 | 32 Attribute-Based Access Control Doctor Nurse Medical Admin Enter Appointment Enter Treatment Enter Doctor Referral Enter Current Traits Enter Prescriptions Height: Weight: Appearance:
Security Planning: An Applied Approach | 9/20/2024 | 33 Step 3: Allocate Roles & Permissions Step 1: Classify Data for CIA Step 2: Allocate Controls Step 3: Allocate Roles & Permissions
Security Planning: An Applied Approach | 9/20/2024 | 34 Permission types Read, inquiry, copy Create, write, update, append, delete Execute, check Access Matrix Model (HRU) File A File B File C Terry Jill rwx rx - Jack rwx r d Terry r rx rwx -
Security Planning: An Applied Approach | 9/20/2024 | 35 Role-Based Access Control Workbook (Partial) Table of Roles Role Name Role Description Current Staff (Example roles) Includes undergraduate and graduate students, full and part-time. Student Student Registers for courses, work-study, and scholarships. Pay bills. Examines personal grades and grade history. Accesses university resources: library, courses or learning management system (LMS). Observes registration and creates grades for personally-taught classes in registration system. Submits files (notes, homework), quizzes, and grades to LMS, reads student homework and quiz submissions. Organizes courses, school calendar. Distribute transcripts upon purchase. Audit graduation. Reads student transcripts and grade reports for personally-designated advisees and students in own major. Write advising notes for same students. Instructor Instructor Includes instructors, professors. adjuncts, and Registrar Registrar Registrar, Registrars. Includes department, staff outside Advising department, who advise. Asst. Advisor Advisor Advising Advising Faculty
Security Planning: An Applied Approach | 9/20/2024 | 36 Workbook: Role-Based Access Control Role Name Information Access (e.g., Record or Form) and Permissions (e.g., RWX) Student Records: Grading Form (for own courses) RW Student Records: Grading Form (for own courses) RW Student Transcript (current students) R Student Transcript (current students) R Transfer credit form R Transfer credit form R Learning Learning Mgmt Mgmt System: All parts (RW) except students work submissions (R) System: All parts (RW) except students work submissions (R) Student Records: Student Transcript (current students in major area) R Student Records: Student Transcript (current students in major area) R Fee Payment R Fee Payment R Transfer credit form R Transfer credit form R Advising notes: RW, Create Advising notes: RW, Create Registration Student Records: Fee Payment RW Student Records: Fee Payment RW Transfer credit form RW Transfer credit form RW Specialized advising and course registration forms RW Specialized advising and course registration forms RW Instructor Instructor Advising Advising Registration
Advanced: Administration of Information Security Highly Secure Environments
Security Planning: An Applied Approach | 9/20/2024 | 38 System Access Control Establish rules for access to information resources Create/maintain user profiles Allocate user IDs requiring authentication (per person, not group) Notify users of valid use and access before and upon login Ensure accountability and auditability by logging user activities Log events Report access control configuration & logs
Security Planning: An Applied Approach | 9/20/2024 | 39 Application-Level Access Control Create/change file or database structure Authorize actions at the: Application level File level Transaction level Field level Log network & data access activities to monitor access violations
Security Planning: An Applied Approach | 9/20/2024 | 40 Which Computer Do You Trust? You plan to make a purchase on-line Work Computer Your office computer? A library or college computer? Your cellphone? Laptop Your children s computer?
Security Planning: An Applied Approach | 9/20/2024 | 41 Trusted Computing Base (TCB) Trusted app has Horizontal dependencies: operating system, hardware Vertical dependencies: server applications, network, authentication server, Trusted App 1 Trusted App 2 Trusted App 3 Trusted Service 1 Trusted Service 2 Trusted Service 3 Trusted Operating System Trusted Operating System Trusted Hardware Trusted Hardware Trusted network
Security Planning: An Applied Approach | 9/20/2024 | 42 Processing requires Dependencies Vertical Dependencies: Secret App requires Secret-level database Secret-level OS Secret-level hardware Horizontal Dependencies: Secret App requires: Secret-level servers Secret-level communications Secret-level authentication
Security Planning: An Applied Approach | 9/20/2024 | 43 Trusted Computing Base (TCB) TCB Subset: Verified security policy, provides reliability Encapsulated security implementation provides rapid implementation Security Policy Trusted App 1 Trusted App 2 Trusted App 3 Trusted Service 1 Encapsulated security impl. Trusted Service 2 Trusted Service 3 Trusted OS Encapsulated security impl. Trusted OS Trusted Hardware Trusted Hardware Trusted network
Security Planning: An Applied Approach | 9/20/2024 | 44 Bell and La Padula Model (BLP) Property of Confinement: Read Down: if Subject s class is >= Object s class Top Secret Write Up: if Subject s class is <= Object s class Secret Tranquility Principle: Object s class cannot change Confidential Declassification: Subject can lower his/her own class Non-Classified Joe => (Secret)
Security Planning: An Applied Approach | 9/20/2024 | 45 Military Security Policy Class Finance Engineering Personnel Top Secret Customer list New plans (Secret, Eng) (Confid., Finance) Secret Dept. Budgets Code Personnel review Confidential Expenses Emails Salary Non-Classified Balance sheet Users Manuals Position Descriptions Person has an Authorization Level or Level of Trust (S,D) = (sensitivity, domain) for Subject (potentially Project) Object has a Security Class Confidentiality Property: Subject can access object if it dominates the object s classification level
Security Planning: An Applied Approach | 9/20/2024 | 46 IS Auditor Verifies Written Policies & Procedures are professional & implemented Access follows need-to-know Security awareness & training implemented Data owners & data custodians meet responsibility for safeguarding data Security Administrator provides physical and logical security for IS program, data, and equipment Authorization is documented and consistent with reality See CISA Review Manual for specific details
Security Planning: An Applied Approach | 9/20/2024 | 47 Summary Data in inventoried Data is allocated a sensitivity and criticality class Class handling is defined for handling, transporting, storage Roles are allocated permissions (access control) Authorization ensures access control is enforced: biometrics, two-factor authentication, single sign-on Trust enables use Access may be distributed: Trusted Computing Base Audit trails enforce accountability
Security Planning: An Applied Approach | 9/20/2024 | 48 Question The person responsible for deciding who should have access to a data file is: Data custodian Data owner Security administrator Security manager 1. 2. 3. 4.
Security Planning: An Applied Approach | 9/20/2024 | 49 Question Least Privilege dictates that: 1. Persons should have the ability to do tasks sufficient to perform their primary job and no more 2. Access rights and permissions shall be commensurate with a person s position in the corporation: i.e., lower layers have fewer rights 3. Computer users should never have administrator passwords 4. Persons should have access permissions only for their security level: Confidential, Private or Sensitive
Security Planning: An Applied Approach | 9/20/2024 | 50 Question A concern with personal or private information is that: 1. Data is not kept longer than absolutely necessary 2. Data encryption makes the retention of personal information safe 3. Private information on disk should never be taken off-site 4. Personal data is always labeled and handled as critical or vital to the organization