Information Security Management Flashcards
Implications of the Internet being very new
New uses continually developing
No time for Information Security to mature as a discipline.
- Increased inter-connectivity
- Increased complexity
- Increased risk
- External threats
- Web sites, external interfaces coded for functionality, not security
- Continued requirements to break the perimeter
- Internal systems become increasingly high-value
- Increased operational requirements
- Increased cost of failure
- Increased threat from internal actors
- Business requirements don’t take into account security cost and risk
- Bring Your Own Device
- Mobile Working
- Remote Access
Current Issue with Information Security
Security is seen as a Non-Functional Requirement
- No drive to resolve security issues
- Functionality is prioritisedover security
- Security is not given resource
What is needed to make security a priority?
Pressure is needed to make security a priority
- Commercial Pressure
- Customer Pressure
- Legal Pressure
- Regulatory Pressure
4 questions to start designing information security
What are we protecting?
- Intellectual Property?
- Pharmaceutical Company
- Trading House
- Customer Information?
- Hospital
- Bank
- Government Ministry
- Something with direct value?
- Bank
Who are we protecting against?
- External attackers?
- Internal attackers?
What capability are we worried about?
- Nation-State-level?
- OrganisedCrime?
- Individual actors?
- Hackers?
- Political activists?
- Knowledgeable insiders?
Can we afford it?
- Be reasonable!
Possible Approaches to Increase Security
- No remote access. If you need to work, come into the office
- No Internet at the desktop
- Highly visible Physical Security measures
- No BYOD
- Positive management support and attention for Security issues
- Disaster Recovery
Defense in Depth
- Defend beyond your secure zone
- Multiple Layers of Security
- Different Forms of Defense
- Protection against a weakness in any one layer
- Each layer can protect against different types of attack
- Weaken the enemy incrementally
- Encourage them to attack points of strength
Limitations of Defense in Depth
- Increased complexity
- Usability issues
- Cost versus Reward not guranteed
- Customer perrception may decline
3 requirements (strong rec.) for information security
1. Security Policy
- Covers basic security requirements
- Without a policy, you won’t get far
- Typically fairly short – maybe 20 pages
2. Technical Documentation
- Gives specifics on how to implement policy in different circumstances
- Settings on systems
- Design constraints
- Processes and procedures that need to be in place
3. An organisationto support all this
- Security changes rapidly
- Nobody else cares about Security
12 things we need in a Security Organisation
- Security Engineering
- Identity and Access Management
- Logging and Monitoring
- Security Operations
- Security Architects
- Application Security
- Security Compliance
- Risk Management
- Physical security
- Data Protection
- Internal Audit
- Audit Response
1 Security Engineering
1. Security Engineering
- Firewalls
- Proxies
- Secure Email Systems
- Remote Access Systems
- Intrusion Detection Systems
- Problem – creates a set of ‘Super Users’
2 Identity and Access Management
2. Identity and Access Management
- Create User Accounts (Joiners)
- Allocate Privilege
- Remove User Accounts (Leavers)
- Data Classification
- Revalidation of User Accounts
- Privilege Revalidation
- Employment Revalidation
- Continued Business Need Revalidation
- Problem – shifts the ‘Super User’ issue to IAM
3 Logging and Monitoring
3. Logging and Monitoring
- Log collection – from everything
- Identify unusual activity
- Generate alerts
- Validate alerts
- Watch the Security Organisationand other Super-Users
- This becomes a Big Data challenge very quickly
- Problem – who watches the watchers?
4 Security Operations
4. Security Operations
- Implement Separation of Duties
- The team that ‘does things’ has privilege but no wide visibility
- Run day-to-day security processes
- Check security software is still running
- Chase other teams to do their part
- Respond to alerts
- Set up User Accounts
- Set up privileges
- Incident Management?
- Problem – SecOps is typically the junior team…
5 Security Architects
5. Security Architects
- Ensure all solutions are in line with the Security Policy
- Design solutions
- Approve solutions
- Advice and Guidance to the rest of the organisation
- Focused on infrastructure, networks, platforms
Problems:
- Who validates the advice and guidance?
- Who makes sure the organisationfollows the advice?
6 Application Security
6. Application Security
- Ensure Application Development is in line with Security Policy
- Own any in-house security software solutions
- Advice and guidance to Application Development Teams
7 Security Compliance
7. Security Compliance
- Check that all the security requirements are being met
- Patches
- Vulnerabilities
- Least Privilege
- Guidance from architects
- Any other requirements from the Policy
- Problem – Separation of Duty
8 Risk Management
8. Risk Management
- Understand all the holes, all the outstanding issues
- Rate risks
- Prioritiseresolution
- Communicate risks
- Ensure that risks are owned and responded to
Problems:
- How do we rate risks and get people to accept them?
- What about operational risks?
9 Physical Security
9. Physical Security
- Guard the doors!
- Security monitoring
- Check that physical security policy is implemented
- Clear desk
- Confidential information
- Hardware / software
- Secure transportation
- Hardware
- Data
- Executive protection
- Problem – Trust, Separation of Duties
10 Data Protection
10. Data Protection
- Regulatory Requirement
- Understand rules around PII, SPI
- Ensure rules are enforced
- Provide evidence to regulators
11 Internal Audit
11. Internal Audit
- Check that everybody is doing everything right
- Provide evidence to executives
- Spot problems before they become an external problem
- Regulators
- Customer impact
- Security impact
Problems:
- Separation of Duties
- Understanding of the complicated environment
12 Regulatory & Audit Response
12. Regulatory & Audit Response
- Understand all other security-related regulations are in place
- Sarbanes Oxley, J-Sox etc
- Basel II / III, FSA, FED
- HIPAA
- …
- Provide Internal / External Audit with required information
Pros and Cons of Security Outsourcing
Pros:
- May give you the skills you lack
- Contracts give some security
- Cost known up-front
Cons:
- No gurantee that outsourcer will do as asked
- regulators only care about responsibilities/accountablity
- Anything you don’t include in the contract will cost you a lot of money later
- Outsourcers are very good at doing what THEY want to do
- Offshoring
- Automating
- Outsourcers have their own problems
- Attrition
- Doing stuff you couldn’t do for less money than they charge you
- If you don’t have the skills to do the security work, how can you check?
- A new team – Security Outsourcer Checking team!
Conclusion and Predictions
- This won’t get any easier
- Security Organisations will get even bigger and better funded
- Governance and compliance will become even more important
- Risk Management will gain increasing focus
- Outsourcing will become increasingly regulated
- InfoSec Management will develop into a much more professional discipline
- InfoSec skills will become increasingly sought-after