Cybersecurity and Its Ten Domains
University System of Georgia
KSU MOOC (Masssive Open Online Course) Instructors: Dr. Humayun Zafar and Mr. Andrew Green
Kennesaw State University Coles College of Business
Welcome and Course Overview
Over the next few weeks, we will guide you through important topics related to the filed of Cybersecurity. You don’t have to take our word for it. You will hear from experts from companies such as the Coca Cola Company, SAP and Macy’s about various domains that make Cybersecurity such a challenge. You also don’t have to be and IT expert to take this course. All you need is a few minutes a day and by the end of the course you should have a clear idea about cybersecurity. This course will be taught using a variety of materials such as videos, tutorials and readings. All of these resources are open and free for you to use. You’ll be assessed through peer review3ed discussions and machine-graded quizzes. At the end of the course you have the option of submitting material to Kennesaw State University for credit evaluation at the Undergraduate level.
You can follow us on twitter for course updates and comments. We hope to see you at the finish line.
Katherine Fithen Chief Privacy Officer Coca Cola
Hello, my name is Katherine Fithen, and I am the Chief privacy Officer at The Coca Cola company. I want to talk to you about the importance of cybersecurity.
You all know that many aspects of our lives rely on the Internet and computers. Most of us love of smart phones and many of us use email and texting to communicate. Our cars have onboard computers that tell us if something is malfunctioning and needs our attention.
We can bank using our mobile devices. Our medical records are electronic and are instantaneously accessible. And finally, as we can see from this course, virtual classrooms are making their way into education. So with everything connected the way they are, protecting information and systems that we rely on at home, work or school means that we need to concentrate on cybersecurity. As we continue to evolve into a highly connected and ubiquitous eco-systemof various technologies, the cyber security threats we face not only multiply but become more and more sophisticated. Phishing scams, data theft and other online vulnerabilities demand that we remain vigilant about securing our systems and information. It is important that we each understand the risks as well as the actions we can take to help protect our information and systems. Good luck in this course.
Meet the Instructors
Dr. Humayun Zafar
Assistant Professor of Information Security and Assurance, Department of Information Systems, Kennesaw State University
Dr. Humayun Zafar is an Assistant Professor of Information Security and Assurance, as well as Director of the Mobile App Development (MAD) Lab at Kennesaw State University. He received his doctorate from the University of Texas at San Antonio. His cyber security research has appeared in numerous journals and conferences. In 2014 he received an award from the Graduate School at Kennesaw State for his Research and Creative Activity. He routinely presents at professional conferences such as Mobility Live! and has appeared in
University System of Georgia
KSU MOOC (Masssive Open Online Course) Instructors: Dr. Humayun Zafar and Mr. Andrew Green
Kennesaw State University Coles College of Business
Welcome and Course Overview
Over the next few weeks, we will guide you through important topics related to the filed of Cybersecurity. You don’t have to take our word for it. You will hear from experts from companies such as the Coca Cola Company, SAP and Macy’s about various domains that make Cybersecurity such a challenge. You also don’t have to be and IT expert to take this course. All you need is a few minutes a day and by the end of the course you should have a clear idea about cybersecurity. This course will be taught using a variety of materials such as videos, tutorials and readings. All of these resources are open and free for you to use. You’ll be assessed through peer review3ed discussions and machine-graded quizzes. At the end of the course you have the option of submitting material to Kennesaw State University for credit evaluation at the Undergraduate level.
You can follow us on twitter for course updates and comments. We hope to see you at the finish line.
Katherine Fithen Chief Privacy Officer Coca Cola
Hello, my name is Katherine Fithen, and I am the Chief privacy Officer at The Coca Cola company. I want to talk to you about the importance of cybersecurity.
You all know that many aspects of our lives rely on the Internet and computers. Most of us love of smart phones and many of us use email and texting to communicate. Our cars have onboard computers that tell us if something is malfunctioning and needs our attention.
We can bank using our mobile devices. Our medical records are electronic and are instantaneously accessible. And finally, as we can see from this course, virtual classrooms are making their way into education. So with everything connected the way they are, protecting information and systems that we rely on at home, work or school means that we need to concentrate on cybersecurity. As we continue to evolve into a highly connected and ubiquitous eco-systemof various technologies, the cyber security threats we face not only multiply but become more and more sophisticated. Phishing scams, data theft and other online vulnerabilities demand that we remain vigilant about securing our systems and information. It is important that we each understand the risks as well as the actions we can take to help protect our information and systems. Good luck in this course.
Meet the Instructors
Dr. Humayun Zafar
Assistant Professor of Information Security and Assurance, Department of Information Systems, Kennesaw State University
Dr. Humayun Zafar is an Assistant Professor of Information Security and Assurance, as well as Director of the Mobile App Development (MAD) Lab at Kennesaw State University. He received his doctorate from the University of Texas at San Antonio. His cyber security research has appeared in numerous journals and conferences. In 2014 he received an award from the Graduate School at Kennesaw State for his Research and Creative Activity. He routinely presents at professional conferences such as Mobility Live! and has appeared in
the media numerous times for his expertise in the area of security and mobility. Check out this podcast.
In summer 2013 he designed the MAD Junior program to impart STEM knowledge to middle school students
through creation of mobile games. He recently received multiple grants from Google (via the Tides Foundation)
to continue with the program and partner with local non-profit agencies such as Computers For Youth (CFY) to
encourage minorities to enroll in STEM programs.
Over the years, Dr. Zafar has taught numerous online undergraduate and graduate courses that pertain to cyber security at Kennesaw State University.
He is an avid tennis player and is pretty active on the marathon circuit. You may follow him on Twitter.
You may also check out his website for more information.
Mr. Andy Green
Lecturer of Information Security and Assurance, Department of Information Systems, Kennesaw State University
Andrew Green is a Lecturer of Information Security and Assurance in the Information Systems Department, located in the Michael J. Coles College of Business at Kennesaw State University, Kennesaw Georgia. Green has over a decade of experience in information security. Prior to entering academia full-time, Green worked as an information security consultant, focusing primarily on the needs of small and medium-sized businesses. Prior to that, Green worked in the healthcare IT field, where he developed and supported transcription interfaces for medical facilities throughout the United States. Green is also pursuing his Ph.D. at Nova Southeastern University, where he is studying information systems with a concentration in information security. Green is also a co-author on a number of academic textbooks on various information security-related topics, published by Course Technology.
Course Objectives
The learner will gain knowledge about securing both clean and corrupted systems, protect personal data, and secure computer networks.
The learner will understand key terms and concepts in cyber law, intellectual property and cyber crimes, trademarks and domain theft.
The learner will be able to examine secure software development practices.
The learner will understand principles of web security.
The learner will be able to incorporate approaches for incident analysis and response.
The learner will be able to incorporate approaches for risk management and best practices.
The learner will gain an understanding of cryptography, how it has evolved, and some key encryption techniques used today.
The learner will develop an understanding of security policies (such as confidentiality, integrity, and availability), as well as protocols to implement such policies.
The learner will gain familiarity with prevalent network and distributed system attacks, defenses against them, and forensics to investigate the aftermath.
MODULE 1
Hi everyone in this module we’re going to cover some of the fundamentals of security that will assist you throughout the course. We will then introduce you to two domains of cyber security. Access Control and Software Development. Don’t forget to take the quiz once you are done with this module. There is also a peer
Over the years, Dr. Zafar has taught numerous online undergraduate and graduate courses that pertain to cyber security at Kennesaw State University.
He is an avid tennis player and is pretty active on the marathon circuit. You may follow him on Twitter.
You may also check out his website for more information.
Mr. Andy Green
Lecturer of Information Security and Assurance, Department of Information Systems, Kennesaw State University
Andrew Green is a Lecturer of Information Security and Assurance in the Information Systems Department, located in the Michael J. Coles College of Business at Kennesaw State University, Kennesaw Georgia. Green has over a decade of experience in information security. Prior to entering academia full-time, Green worked as an information security consultant, focusing primarily on the needs of small and medium-sized businesses. Prior to that, Green worked in the healthcare IT field, where he developed and supported transcription interfaces for medical facilities throughout the United States. Green is also pursuing his Ph.D. at Nova Southeastern University, where he is studying information systems with a concentration in information security. Green is also a co-author on a number of academic textbooks on various information security-related topics, published by Course Technology.
Course Objectives
The learner will gain knowledge about securing both clean and corrupted systems, protect personal data, and secure computer networks.
The learner will understand key terms and concepts in cyber law, intellectual property and cyber crimes, trademarks and domain theft.
The learner will be able to examine secure software development practices.
The learner will understand principles of web security.
The learner will be able to incorporate approaches for incident analysis and response.
The learner will be able to incorporate approaches for risk management and best practices.
The learner will gain an understanding of cryptography, how it has evolved, and some key encryption techniques used today.
The learner will develop an understanding of security policies (such as confidentiality, integrity, and availability), as well as protocols to implement such policies.
The learner will gain familiarity with prevalent network and distributed system attacks, defenses against them, and forensics to investigate the aftermath.
MODULE 1
Hi everyone in this module we’re going to cover some of the fundamentals of security that will assist you throughout the course. We will then introduce you to two domains of cyber security. Access Control and Software Development. Don’t forget to take the quiz once you are done with this module. There is also a peer
assessed discussion board as well to enhance your knowledge base home.
Module Overview: Introduction to Security, Access
Control, and Software Development Security
Objectives:
By the end of this module, learners will be able to:
Recognize cyber security's importance in our increasingly computer-driven world. Master the key concepts of cyber security and how they "work".
Explain the technology principles of security detection/protection and access control. List the steps to design an access control system.
Describe the software development life cycle.
Readings for Videos:
Introduction to Security: "An introduction to information security".
Access Control: Read Chapter 17 of NIST SP 800-12,titled "Logical Access Control".
Software Development Security: Read about the "OWASP Secure Application Design Project" and the "Microsoft Security Development Lifecycle".
Supplemental Readings for This Module:
Introduction to Security: Read Chapters 1-3 of "Information Security for Non-Technical Managers". Access Control: Read about "Passwords".
Software Development Security: Read about "The Ten Best Practices for Secure Software Development”.
Hi. I’m JoEtta LeSeur, a security administrator at JDA Software and I’m here today to talk to you about Access Control.
One of the most important things in the foundation of cybersecurity is controlling how resources are accessed so that they are protected from unauthorised modification or disclosure.
Access can be controlled via technical, physical or administrative means.
Therefore, access control can be defined as the process of grating or denying specific requests for or attempts to: 1) Obtain and use information and related information processing services and (2) enter specific physical facilities. The term access is sometimes confused with authorization and authentication. There is a difference.
Access is the ability (usually a technical one such as read, created, modify or delete) to do something with a computer resource.
Authorization is the permission to use a resource.
Permission is granted by the application or the owner of the system.
Authentication is proving that users are who they claim to be.
Three main cyber security principles for any type of security control are referred to as the CIA principle. CIA stands for Confidentiality, Integrity and Availability.
Objectives:
By the end of this module, learners will be able to:
Recognize cyber security's importance in our increasingly computer-driven world. Master the key concepts of cyber security and how they "work".
Explain the technology principles of security detection/protection and access control. List the steps to design an access control system.
Describe the software development life cycle.
Readings for Videos:
Introduction to Security: "An introduction to information security".
Access Control: Read Chapter 17 of NIST SP 800-12,titled "Logical Access Control".
Software Development Security: Read about the "OWASP Secure Application Design Project" and the "Microsoft Security Development Lifecycle".
Supplemental Readings for This Module:
Introduction to Security: Read Chapters 1-3 of "Information Security for Non-Technical Managers". Access Control: Read about "Passwords".
Software Development Security: Read about "The Ten Best Practices for Secure Software Development”.
Hi. I’m JoEtta LeSeur, a security administrator at JDA Software and I’m here today to talk to you about Access Control.
One of the most important things in the foundation of cybersecurity is controlling how resources are accessed so that they are protected from unauthorised modification or disclosure.
Access can be controlled via technical, physical or administrative means.
Therefore, access control can be defined as the process of grating or denying specific requests for or attempts to: 1) Obtain and use information and related information processing services and (2) enter specific physical facilities. The term access is sometimes confused with authorization and authentication. There is a difference.
Access is the ability (usually a technical one such as read, created, modify or delete) to do something with a computer resource.
Authorization is the permission to use a resource.
Permission is granted by the application or the owner of the system.
Authentication is proving that users are who they claim to be.
Three main cyber security principles for any type of security control are referred to as the CIA principle. CIA stands for Confidentiality, Integrity and Availability.
Confidentiality: A property that information is to disclosed to users, processes or devices unless they have been
authorized to access the information.
Integrity: The property whereby information has not been modified or destroyed in an unauthorized manner. Availability: The property of being accessible.
Some of the basic concepts in access control are:
Identification: user provides identification information such as a user name
Authentication: The identification information is verified through things such as passwords. Authorization: Using specific criteria a determination is made of operations a user can carry out. Accountability: Monitoring and logging is enabled to rack what ever a user does.
Chris Lee
Enterprise Mobility Support Engineer SAP
I am here to talk to you today about Software Development Security.
The system/software development life cycle has been around for years. What we now know is that it is important to embed software security principles throughout the software development life cycle. This is easier said than done. Software development involves numerous stakeholders (e.g. top management, clients, managers etc.). Good thing is that (ISC)2 has come up with ten best practices for secure software development.
Then ten best practices are :
Integrity: The property whereby information has not been modified or destroyed in an unauthorized manner. Availability: The property of being accessible.
Some of the basic concepts in access control are:
Identification: user provides identification information such as a user name
Authentication: The identification information is verified through things such as passwords. Authorization: Using specific criteria a determination is made of operations a user can carry out. Accountability: Monitoring and logging is enabled to rack what ever a user does.
Chris Lee
Enterprise Mobility Support Engineer SAP
I am here to talk to you today about Software Development Security.
The system/software development life cycle has been around for years. What we now know is that it is important to embed software security principles throughout the software development life cycle. This is easier said than done. Software development involves numerous stakeholders (e.g. top management, clients, managers etc.). Good thing is that (ISC)2 has come up with ten best practices for secure software development.
Then ten best practices are :
-
Protect the brand your customers trust. Attackers will not just disrupt business operations, but may also
impact customer confidence.
-
Know your business and support it with secure solutions. A security professional must not only have a
strong background in technology, but must also have a thorough understanding of the business when it
comes to creating secure solutions.
-
Understanding the technology of the software. A lack of understanding of the technology to build or buy
software can lead to insecure implementations of the software.
-
Ensure compliance to governance, regulations, and privacy. A software security professional needs to be
well versed in meeting regulatory and privacy requirements
-
Know the basic comments of software security. These basic components are: protection from disclosure
(which is confidentiality); protection from alteration (integrity); protection from destruction (which is availability); who is making the request (which is authentication); what rights and privileges does the requestor have (which authorization); the ability to build historical evidence (which is auditing)l and the management of configuration, sessions, and exceptions.
-
Ensure the protection of sensitive information. It’s not just important to protect the brand customers trust,
but it is vital that any sensitive information be protected as well.
-
Design software with secure features. When a software developer focuses only on finding security issues in
code, he or she runs the risk of missing out on vulnerabilities such as business logic flaws, which can’t be
detected in code.
-
Develop, software with secure features. It i imperative that secure features arrant ignored when design
artifacts are converted into syntax constructs.
-
Deploy software which insecure features. A development team needs to ensure that the development and
test environments properly simulate the production environment.
-
Educate yourself and others on how to build secure software. It is important to create a culture that factors
in software security from the very beginning by default. The National Institute of Standards and Technology
(NIST) states that education should cause a change in attitudes , which in turn will change the
organizational culture.
Readings:
An introduction to information security
Reveal Summary
Headline news scares about stolen or missing data are becoming a frequent occurrence as...
Comments (2)TwitterShareShare EnrolPrint All PagesPrint
Search this document
Skip Contents
Contents
Introduction
Learning outcomes
Current section:
1 Why is information security important?
2 Information, information security and information security management 3 Information security imperatives and incentives
4 Information assets
5 Planning an information security management system
6 Risk assessment and asset identification
7 The PDCA cycle
8 Summary
References
Acknowledgements
View as single page
1 Why is information security important?
This unit introduces you to information security and its management. A succinct definition of information security might run as follows:
Information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure.
But why is it important to secure information? And how should its security be managed? To start thinking about these questions, consider the following statements about information:
In today's high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their system of internal control.
(Nigel Turnbull, 2003, p. xi)
Competitive advantage ... is dependent on superior access to information. (Robert M Grant, 2000, p. 186)
Reveal Summary
Headline news scares about stolen or missing data are becoming a frequent occurrence as...
Comments (2)TwitterShareShare EnrolPrint All PagesPrint
Search this document
Skip Contents
Contents
Introduction
Learning outcomes
Current section:
1 Why is information security important?
2 Information, information security and information security management 3 Information security imperatives and incentives
4 Information assets
5 Planning an information security management system
6 Risk assessment and asset identification
7 The PDCA cycle
8 Summary
References
Acknowledgements
View as single page
1 Why is information security important?
This unit introduces you to information security and its management. A succinct definition of information security might run as follows:
Information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure.
But why is it important to secure information? And how should its security be managed? To start thinking about these questions, consider the following statements about information:
In today's high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their system of internal control.
(Nigel Turnbull, 2003, p. xi)
Competitive advantage ... is dependent on superior access to information. (Robert M Grant, 2000, p. 186)
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it
wafts across the electrified borders.
(Ronald Reagan, 1989)
It is vital to be worried about information security because much of the value of a business is concentrated in the value of its information. Information is, as Grant says, the basis of competitive advantage. And in the not-for- profit sector, with increased public awareness of identity theft and the power of information, it is also, as Turnbull claims, the area of an organisation's operations that most needs control. Without information, neither businesses nor the not-for-profit sector could function. Valuing and protecting information are crucial tasks for the modern organisation.
If information were easy to value and protect, however, you would be able to buy off-the-shelf information security management solutions. There are three characteristics of information security that make this impossible.
investigate your organisation and determine the precise mix of information security issues that affect it;
explain the links between areas of an organisation and navigate your organisation's information security web;
identify the security contributions of each individual, and so suggest strategies to make the sum of the positive contributions greater than the sum of the negative ones.
Before you can investigate information security and its management within your organisation, we need to introduce you in more detail to the complexities of the topic. This is the purpose of this unit. Section 2 discusses the meaning of the terms information, information security and information security management. Section 3 looks at information security and its imperatives and incentives. Section 4 discusses information assets. Section 5 examines the planning of an information security management system. Section 6 addresses how risks to information security can be assessed and how information assets can be identified. Section 7 describes how a system for information security management can be implemented and continually improved.An introduction to information security Free Course Reveal summary Headline news scares about stolen or missing data are becoming a frequent occurrence as... Headline news scares about stolen or missing data are becoming a frequent occurrence as organisations rely more and more heavily on computers to store sensitive corporate and customer information. This unit discusses the importance of protecting information and gives an overview of information security management systems. By the end of this unit you should have developed an understanding of: how you select appropriate techniques to tackle and solve problems in the discipline of information security management; why security and its management are important for any modern organisation; how an information security management system should be planned, documented, implemented and improved, according to the BSi standard on information security management. By: The Open University5 Duration 55 hours Updated Wednesday 11th December 2013 Masters level Posted under Computing and ICT3 View article Comments (2) Share on Twitter Share on Facebook Share on Google Plus EnrolPrint all pages Print Search this document6Skip ContentsContentsIntroduction4Learning outcomes7Learning outcomes7Current section: 1 Why
(Ronald Reagan, 1989)
It is vital to be worried about information security because much of the value of a business is concentrated in the value of its information. Information is, as Grant says, the basis of competitive advantage. And in the not-for- profit sector, with increased public awareness of identity theft and the power of information, it is also, as Turnbull claims, the area of an organisation's operations that most needs control. Without information, neither businesses nor the not-for-profit sector could function. Valuing and protecting information are crucial tasks for the modern organisation.
If information were easy to value and protect, however, you would be able to buy off-the-shelf information security management solutions. There are three characteristics of information security that make this impossible.
-
The collection of influences to which each organisation is exposed varies with the organisation: the
information technology that it uses, its personnel, the area in which it does business, its physical location –
all these have an effect on information security.
-
Information security affects every structural and behavioural aspect of an organisation: a gap in a security
fence can permit information to be stolen; a virally infected computer connected to an organisation's
network can destroy information; a cup of coffee spilt on a computer keyboard can prevent access to
information.
-
Each individual that interacts with an organisation in any way – from the potential customer browsing the
website, to the managing director; from the malicious hacker, to the information security manager – will
make his or her own positive or negative contribution to the information security of the organisation.
investigate your organisation and determine the precise mix of information security issues that affect it;
explain the links between areas of an organisation and navigate your organisation's information security web;
identify the security contributions of each individual, and so suggest strategies to make the sum of the positive contributions greater than the sum of the negative ones.
Before you can investigate information security and its management within your organisation, we need to introduce you in more detail to the complexities of the topic. This is the purpose of this unit. Section 2 discusses the meaning of the terms information, information security and information security management. Section 3 looks at information security and its imperatives and incentives. Section 4 discusses information assets. Section 5 examines the planning of an information security management system. Section 6 addresses how risks to information security can be assessed and how information assets can be identified. Section 7 describes how a system for information security management can be implemented and continually improved.An introduction to information security Free Course Reveal summary Headline news scares about stolen or missing data are becoming a frequent occurrence as... Headline news scares about stolen or missing data are becoming a frequent occurrence as organisations rely more and more heavily on computers to store sensitive corporate and customer information. This unit discusses the importance of protecting information and gives an overview of information security management systems. By the end of this unit you should have developed an understanding of: how you select appropriate techniques to tackle and solve problems in the discipline of information security management; why security and its management are important for any modern organisation; how an information security management system should be planned, documented, implemented and improved, according to the BSi standard on information security management. By: The Open University5 Duration 55 hours Updated Wednesday 11th December 2013 Masters level Posted under Computing and ICT3 View article Comments (2) Share on Twitter Share on Facebook Share on Google Plus EnrolPrint all pages Print Search this document6Skip ContentsContentsIntroduction4Learning outcomes7Learning outcomes7Current section: 1 Why
is information security important?2 Information, information security and information security management82.1
What is information?82.2 What is information security?92.3 What is information security management?103
Information security imperatives and incentives113.1 Introduction113.2 Imperatives123.2.1 Threats133.2.2.
Legislation143.2.3. Regulation and codes of conduct153.2.4. Ethics163.3 Incentives174 Information
assets184.1 Introduction184.2 Information in an e-business age194.3 Scarcity and shareability204.3.1
Confidentiality, integrity and availability215 Planning an information security management system225.1
Introduction225.2 The Standard's approach to planning an ISMS235.2.1 ISMS documentation245.2.2 Asset
identification255.2.3 Risk assessment265.2.4 Risk treatment27Other approaches to information security
management285.3 Setting up an ISMS295.4 ISMS documentation305.4.1 Context, scope and information
security policy315.4.2 The Statement of Applicability326 Risk assessment and asset identification336.1
Introduction336.2 A systematic approach to risk assessment346.2.1 Threats, outcomes and impacts356.2.2
Threats and vulnerabilities366.2.3 Likelihood, impact and risk376.3 Asset identification387 The PDCA cycle398
Summary40References41Acknowledgements42View as single page43Frequently asked questions - intellectual
property44 1 Why is information security important? This unit introduces you to information security and its
management. A succinct definition of information security might run as follows: Information security is the
collection of technologies, standards, policies and management practices that are applied to information to keep
it secure. But why is it important to secure information? And how should its security be managed? To start
thinking about these questions, consider the following statements about information: In today's high technology
environment, organisations are becoming more and more dependent on their information systems. The public is
increasingly concerned about the proper use of information, particularly personal data. The threats to
information systems from criminals and terrorists are increasing. Many organisations will identify information as
an area of their operation that needs to be protected as part of their system of internal control. (Nigel Turnbull,
2003, p. xi) Competitive advantage ... is dependent on superior access to information. (Robert M Grant, 2000,
p. 186) Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts
across the electrified borders. (Ronald Reagan, 1989) It is vital to be worried about information security because
much of the value of a business is concentrated in the value of its information. Information is, as Grant says, the
basis of competitive advantage. And in the not-for-profit sector, with increased public awareness of identity theft
and the power of information, it is also, as Turnbull claims, the area of an organisation's operations that most
needs control. Without information, neither businesses nor the not-for-profit sector could function. Valuing and
protecting information are crucial tasks for the modern organisation. If information were easy to value and
protect, however, you would be able to buy off-the-shelf information security management solutions. There are
three characteristics of information security that make this impossible. The collection of influences to which each
organisation is exposed varies with the organisation: the information technology that it uses, its personnel, the
area in which it does business, its physical location – all these have an effect on information security.
Information security affects every structural and behavioural aspect of an organisation: a gap in a security fence
can permit information to be stolen; a virally infected computer connected to an organisation's network can
destroy information; a cup of coffee spilt on a computer keyboard can prevent access to information. Each
individual that interacts with an organisation in any way – from the potential customer browsing the website, to
the managing director; from the malicious hacker, to the information security manager – will make his or her own
positive or negative contribution to the information security of the organisation. Thus information security and its
management need to be examined within an organisational context. To this end, a major aim of this unit is to
give you the opportunity to: investigate your organisation and determine the precise mix of information security
issues that affect it; explain the links between areas of an organisation and navigate your organisation's
information security web; identify the security contributions of each individual, and so suggest strategies to
make the sum of the positive contributions greater than the sum of the negative ones. Before you can
investigate information security and its management within your organisation, we need to introduce you in more
detail to the complexities of the topic. This is the purpose of this unit. Section 2 discusses the meaning of the
terms information, information security and information security management. Section 3 looks at information
security and its imperatives and incentives. Section 4 discusses information assets. Section 5 examines the
planning of an information security management system. Section 6 addresses how risks to information security
can be assessed and how information assets can be identified. Section 7 describes how a system for
information security management can be implemented and continually improved.
2 Information, information security and information security management 2.1 What is information?
2 Information, information security and information security management 2.1 What is information?
Information comprises the meanings and interpretations that people place upon facts, or data. The value of
information springs from the ways it is interpreted and applied to make products, to provide services, and so
on.
Many modern writers look at organisations in terms of the use they make of information. For instance, one particularly successful model of business is based on the assets that a firm owns. Assets have traditionally meant tangible things like money, property, plant, systems; but business analysts have increasingly recognised that information is itself an asset, crucial to adding value. As Grant said in Section 1, information underpins competitive advantage. Indeed, there are writers, such as Itami and Roehl (1987), who believe that the true value of an organisation is in the information it uses and creates.
But, of course, there is a negative side too: the use of information in both the for-profit and not-for-profit sectors is increasingly the subject of legislation and regulation, in recognition of the damage its misuse can have on individuals.
Note: All activities in this unit consist of a statement of the activity followed by some guidance and/or a discussion. You should read the guidance before attempting the activity, and the discussion after attempting it.
Activity 1
(a) In your notebook, write down the main objective – sometimes called the mission – of your organisation.
(b) List the main kinds of information your organisation requires to meet its mission. Note down any areas in which the mission makes preserving the value of information difficult.
(c) Read the Introduction to IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (2nd edition) by Alan Calder and Steve Watkins (the Set Book) and make notes on why information is important to a modern organisation.
Guidance
Many modern writers look at organisations in terms of the use they make of information. For instance, one particularly successful model of business is based on the assets that a firm owns. Assets have traditionally meant tangible things like money, property, plant, systems; but business analysts have increasingly recognised that information is itself an asset, crucial to adding value. As Grant said in Section 1, information underpins competitive advantage. Indeed, there are writers, such as Itami and Roehl (1987), who believe that the true value of an organisation is in the information it uses and creates.
But, of course, there is a negative side too: the use of information in both the for-profit and not-for-profit sectors is increasingly the subject of legislation and regulation, in recognition of the damage its misuse can have on individuals.
Note: All activities in this unit consist of a statement of the activity followed by some guidance and/or a discussion. You should read the guidance before attempting the activity, and the discussion after attempting it.
Activity 1
(a) In your notebook, write down the main objective – sometimes called the mission – of your organisation.
(b) List the main kinds of information your organisation requires to meet its mission. Note down any areas in which the mission makes preserving the value of information difficult.
(c) Read the Introduction to IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (2nd edition) by Alan Calder and Steve Watkins (the Set Book) and make notes on why information is important to a modern organisation.
Guidance
-
Your answer to (b) will depend on the nature of your organisation. If your organisation produces a product,
you may be able to identify information that is used in the creation of the product, including intellectual
property such as designs and patents. If your organisation is a retailer, appropriate information might
include customer information and price lists. A not-for-profit organisation will perhaps have employee lists,
client lists, stock lists, a charter, etc. All for-profit organisations are required to keep financial information.
-
Don't worry if you feel that you take little from your reading of the Introduction to the Set Book at this
stage. We suggest that you make a note to reread the material, and to refer back to the notes that you
made, once you have completed this unit. You are likely to find that you are then better able to appreciate
the arguments presented.2 Information, information security and information security management2.1
What is information? Information comprises the meanings and interpretations that people place upon facts,
or data. The value of information springs from the ways it is interpreted and applied to make products, to
provide services, and so on. Many modern writers look at organisations in terms of the use they make of
information. For instance, one particularly successful model of business is based on the assets that a firm
owns. Assets have traditionally meant tangible things like money, property, plant, systems; but business
analysts have increasingly recognised that information is itself an asset, crucial to adding value. As Grant
said in Section 1, information underpins competitive advantage. Indeed, there are writers, such as Itami
and Roehl (1987), who believe that the true value of an organisation is in the information it uses and
creates. But, of course, there is a negative side too: the use of information in both the for-profit and not-
for-profit sectors is increasingly the subject of legislation and regulation, in recognition of the damage its
misuse can have on individuals. Note: All activities in this unit consist of a statement of the activity followed
by some guidance and/or a discussion. You should read the guidance before attempting the activity, and
the discussion after attempting it. Activity 1 (a) In your notebook, write down the main objective –
sometimes called the mission – of your organisation. (b) List the main kinds of information your
organisation requires to meet its mission. Note down any areas in which the mission makes preserving the
value of information difficult. (c) Read the Introduction to IT Governance: A Manager's Guide to Data
Security & BS 7799/ISO 177799 (2nd edition) by Alan Calder and Steve Watkins (the Set Book) and make
notes on why information is important to a modern organisation. Guidance Your answer to (b) will depend
on the nature of your organisation. If your organisation produces a product, you may be able to identify
information that is used in the creation of the product, including intellectual property such as designs and
patents. If your organisation is a retailer, appropriate information might include customer information and
price lists. A not-for-profit organisation will perhaps have employee lists, client lists, stock lists, a charter,
etc. All for-profit organisations are required to keep financial information. Don't worry if you feel that you
take little from your reading of the Introduction to the Set Book at this stage. We suggest that you make a
note to reread the material, and to refer back to the notes that you made, once you have completed this
unit. You are likely to find that you are then better able to appreciate the arguments presented.
2.2 What is information security?
Seen in the way we have just defined it, information is a valuable asset. Information securityprotects information (and the facilities and systems that store, use and transmit it) from a wide range of threats, in order to preserve its value to an organisation.
This definition of information security is adapted from that of the American National Security Telecommunications and Information Systems Security Committee (NSTISSC).
There are two important characteristics of information that determine its value to an organisation:
the scarcity of the information outside the organisation;
the shareability of the information within the organisation, or some part of it.
Simplifying somewhat, these characteristics state that information is only valuable if it provides advantage or utility to those who have it, compared with those who don't.
Thus the value of any piece of information relates to its levels of shareability and scarcity. The aim of information security is to preserve the value of information by ensuring that these levels are correctly identified and preserved.
Threats to information influence the organisation's ability to share it within, or to preserve its scarcity outside. And threats that are carried out can cost millions in compensation and reputation, and may even jeopardise an institution's ability to survive. Here are some examples in which the making available of information that should have been kept scarce or the restricting of information that should have been shareable has damaged an organisation.
Example 1: Softbank – theft of consumer data for extortion
2.2 What is information security?
Seen in the way we have just defined it, information is a valuable asset. Information securityprotects information (and the facilities and systems that store, use and transmit it) from a wide range of threats, in order to preserve its value to an organisation.
This definition of information security is adapted from that of the American National Security Telecommunications and Information Systems Security Committee (NSTISSC).
There are two important characteristics of information that determine its value to an organisation:
the scarcity of the information outside the organisation;
the shareability of the information within the organisation, or some part of it.
Simplifying somewhat, these characteristics state that information is only valuable if it provides advantage or utility to those who have it, compared with those who don't.
Thus the value of any piece of information relates to its levels of shareability and scarcity. The aim of information security is to preserve the value of information by ensuring that these levels are correctly identified and preserved.
Threats to information influence the organisation's ability to share it within, or to preserve its scarcity outside. And threats that are carried out can cost millions in compensation and reputation, and may even jeopardise an institution's ability to survive. Here are some examples in which the making available of information that should have been kept scarce or the restricting of information that should have been shareable has damaged an organisation.
Example 1: Softbank – theft of consumer data for extortion
Softbank of Japan offers broadband internet services across Japan through two subsidiaries – Yahoo! BB
and Softbank BB. In February 2004, the bank announced that the security of 4.5 million customer records
had been compromised: data from both subsidiaries had been illegally copied and disseminated. The
leaked details included customer names, home phone numbers, addresses and email IDs, but did not
include passwords, access logs or credit card details.
Softbank became aware of the problem only when they were approached by two groups of extortionists. The criminals produced apparently genuine customer data and threatened that all of the data would be posted to the internet if they were not paid a large sum of money.
Japanese police made three arrests but suspected that there may have been connections to organised crime and the political far-right. Amazingly, the police concluded that there had in fact been two simultaneous, yet independent, extortion attempts against Softbank, both of them masterminded by employees of the company. All of the people accused of extortion had been authorised to access the customer data; but it appeared that Softbank had inadequate procedures to protect against its unwarranted copying and dissemination.
The bank immediately announced a tightening of security, further restricting access to their systems and enforcing tighter security on all of their subsidiaries. Profuse apologies were offered to the affected customers and ¥4 billion (£20 million) were paid in compensation. Furthermore, Softbank BB's president, Masayoshi Son, announced that he and other senior executives would take a 50 per cent pay cut for the next six months.
In this example, the threat was to reduce the value of an organisation by revealing information that should have been a well-kept secret – scarce-within as well as scarce-without. It cost the company £20 million in compensation and affected its reputation.
Example 2: UCSF Medical Center
In October 2002, the University of California, San Francisco (UCSF) Medical Center received an email message from someone who claimed to be a doctor working in Pakistan and who threatened to release patient records onto the internet unless money owing to her was paid. Several confidential medical transcripts were attached to the email.
UCSF staff were mystified; they had no dealings in Pakistan and certainly did not employ the person who sent the email. The Medical Center began an immediate investigation, concentrating on their transcription service, which had been outsourced to Transcription Stat, based in nearby Sausalito. It transpired that Transcription Stat farmed out work to some fifteen subcontractors scattered across America. One of these subcontractors was Florida-based Sonya Newburn, who in turn employed further subcontractors, including one Tom Spires of Texas. No one at Transcription Stat realised that Spires also employed his own subcontractors, including the sender of the email. The sender alleged that Spires owed her money, and had not paid her for some time.
Newburn eventually agreed to pay the $500 that the email sender claimed was owed to her. In return the sender informed UCSF that she had had no intention of publicising personal information and had destroyed any records in her care. Of course, there is no way to prove that the records have actually been destroyed.
Naturally, you would not wish your own medical records to be publicised: they should be scarce. This threat cost the organisation little in money terms, but how much in reputation? Just what is a reputation worth? Or, to put it another way, how much is it worth paying in information security to protect a reputation?
Softbank became aware of the problem only when they were approached by two groups of extortionists. The criminals produced apparently genuine customer data and threatened that all of the data would be posted to the internet if they were not paid a large sum of money.
Japanese police made three arrests but suspected that there may have been connections to organised crime and the political far-right. Amazingly, the police concluded that there had in fact been two simultaneous, yet independent, extortion attempts against Softbank, both of them masterminded by employees of the company. All of the people accused of extortion had been authorised to access the customer data; but it appeared that Softbank had inadequate procedures to protect against its unwarranted copying and dissemination.
The bank immediately announced a tightening of security, further restricting access to their systems and enforcing tighter security on all of their subsidiaries. Profuse apologies were offered to the affected customers and ¥4 billion (£20 million) were paid in compensation. Furthermore, Softbank BB's president, Masayoshi Son, announced that he and other senior executives would take a 50 per cent pay cut for the next six months.
In this example, the threat was to reduce the value of an organisation by revealing information that should have been a well-kept secret – scarce-within as well as scarce-without. It cost the company £20 million in compensation and affected its reputation.
Example 2: UCSF Medical Center
In October 2002, the University of California, San Francisco (UCSF) Medical Center received an email message from someone who claimed to be a doctor working in Pakistan and who threatened to release patient records onto the internet unless money owing to her was paid. Several confidential medical transcripts were attached to the email.
UCSF staff were mystified; they had no dealings in Pakistan and certainly did not employ the person who sent the email. The Medical Center began an immediate investigation, concentrating on their transcription service, which had been outsourced to Transcription Stat, based in nearby Sausalito. It transpired that Transcription Stat farmed out work to some fifteen subcontractors scattered across America. One of these subcontractors was Florida-based Sonya Newburn, who in turn employed further subcontractors, including one Tom Spires of Texas. No one at Transcription Stat realised that Spires also employed his own subcontractors, including the sender of the email. The sender alleged that Spires owed her money, and had not paid her for some time.
Newburn eventually agreed to pay the $500 that the email sender claimed was owed to her. In return the sender informed UCSF that she had had no intention of publicising personal information and had destroyed any records in her care. Of course, there is no way to prove that the records have actually been destroyed.
Naturally, you would not wish your own medical records to be publicised: they should be scarce. This threat cost the organisation little in money terms, but how much in reputation? Just what is a reputation worth? Or, to put it another way, how much is it worth paying in information security to protect a reputation?
Example 3: Logic bombs
In May 2000, Timothy Lloyd was found guilty of causing between $10 million and $12 million worth of damage to Omega Engineering, an American company specialising in precision engineering for clients, including the US Navy and NASA. Lloyd had been employed with Omega for 11 years, rising to the post of system administrator, and was responsible not only for the day-to-day operation of the company's computers but also for their disaster-recovery process.
In 1996, Lloyd became aware that he was about to be sacked and wrote a logic bomb – a six-line destructive program – which he installed on Omega's servers. Ten days later, Lloyd was dismissed and his logic bomb exploded, destroying company contracts and proprietary software used by Omega's manufacturing tools. Although Omega had instituted a backup procedure, Lloyd's account privileges had allowed him to disable these recovery systems. The damage done by his logic bomb was permanent.
When the logic bomb ‘exploded’ it wiped out information that was needed for the company to operate. As a result of lost business, Omega was forced to lay off some 80 employees and found itself rewriting the very software which had once given it a competitive edge over its rivals. In effect, what Lloyd managed to do, in the most decisive way possible, was to prevent vital information being shared.
Activity 2
Read the Foreword to IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book), written by Nigel Turnbull.
(a) Write down the three reasons Turnbull gives for companies recognising the need to protect information.
(b) Write down two of the ways in which this unit should be valuable to you and your own organisation.
Guidance
You may wish to discuss your answer to (b) with other learners, using the Comments section below.2.2 What is information security? Seen in the way we have just defined it, information is a valuable asset. Information security protects information (and the facilities and systems that store, use and transmit it) from a wide range of threats, in order to preserve its value to an organisation. This definition of information security is adapted from that of the American National Security Telecommunications and Information Systems Security Committee (NSTISSC). There are two important characteristics of information that determine its value to an organisation: the scarcity of the information outside the organisation; the shareability of the information within the organisation, or some part of it. Simplifying somewhat, these characteristics state that information is only valuable if it provides advantage or utility to those who have it, compared with those who don't. Thus the value of any piece of information relates to its levels of shareability and scarcity. The aim of information security is to preserve the value of information by ensuring that these levels are correctly identified and preserved. Threats to information influence the organisation's ability to share it within, or to preserve its scarcity outside. And threats that are carried out can cost millions in compensation and reputation, and may even jeopardise an institution's ability to survive. Here are some examples in which the making available of information that should have been kept scarce or the restricting of information that should have been shareable has damaged an organisation. Example 1: Softbank – theft of consumer data for extortion Softbank of Japan offers broadband internet services across Japan through two subsidiaries – Yahoo! BB and Softbank BB. In February 2004, the bank
In May 2000, Timothy Lloyd was found guilty of causing between $10 million and $12 million worth of damage to Omega Engineering, an American company specialising in precision engineering for clients, including the US Navy and NASA. Lloyd had been employed with Omega for 11 years, rising to the post of system administrator, and was responsible not only for the day-to-day operation of the company's computers but also for their disaster-recovery process.
In 1996, Lloyd became aware that he was about to be sacked and wrote a logic bomb – a six-line destructive program – which he installed on Omega's servers. Ten days later, Lloyd was dismissed and his logic bomb exploded, destroying company contracts and proprietary software used by Omega's manufacturing tools. Although Omega had instituted a backup procedure, Lloyd's account privileges had allowed him to disable these recovery systems. The damage done by his logic bomb was permanent.
When the logic bomb ‘exploded’ it wiped out information that was needed for the company to operate. As a result of lost business, Omega was forced to lay off some 80 employees and found itself rewriting the very software which had once given it a competitive edge over its rivals. In effect, what Lloyd managed to do, in the most decisive way possible, was to prevent vital information being shared.
Activity 2
Read the Foreword to IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book), written by Nigel Turnbull.
(a) Write down the three reasons Turnbull gives for companies recognising the need to protect information.
(b) Write down two of the ways in which this unit should be valuable to you and your own organisation.
Guidance
You may wish to discuss your answer to (b) with other learners, using the Comments section below.2.2 What is information security? Seen in the way we have just defined it, information is a valuable asset. Information security protects information (and the facilities and systems that store, use and transmit it) from a wide range of threats, in order to preserve its value to an organisation. This definition of information security is adapted from that of the American National Security Telecommunications and Information Systems Security Committee (NSTISSC). There are two important characteristics of information that determine its value to an organisation: the scarcity of the information outside the organisation; the shareability of the information within the organisation, or some part of it. Simplifying somewhat, these characteristics state that information is only valuable if it provides advantage or utility to those who have it, compared with those who don't. Thus the value of any piece of information relates to its levels of shareability and scarcity. The aim of information security is to preserve the value of information by ensuring that these levels are correctly identified and preserved. Threats to information influence the organisation's ability to share it within, or to preserve its scarcity outside. And threats that are carried out can cost millions in compensation and reputation, and may even jeopardise an institution's ability to survive. Here are some examples in which the making available of information that should have been kept scarce or the restricting of information that should have been shareable has damaged an organisation. Example 1: Softbank – theft of consumer data for extortion Softbank of Japan offers broadband internet services across Japan through two subsidiaries – Yahoo! BB and Softbank BB. In February 2004, the bank
announced that the security of 4.5 million customer records had been compromised: data from both
subsidiaries had been illegally copied and disseminated. The leaked details included customer names, home
phone numbers, addresses and email IDs, but did not include passwords, access logs or credit card details.
Softbank became aware of the problem only when they were approached by two groups of extortionists.
The criminals produced apparently genuine customer data and threatened that all of the data would be
posted to the internet if they were not paid a large sum of money. Japanese police made three arrests but
suspected that there may have been connections to organised crime and the political far-right. Amazingly,
the police concluded that there had in fact been two simultaneous, yet independent, extortion attempts
against Softbank, both of them masterminded by employees of the company. All of the people accused of
extortion had been authorised to access the customer data; but it appeared that Softbank had inadequate
procedures to protect against its unwarranted copying and dissemination. The bank immediately
announced a tightening of security, further restricting access to their systems and enforcing tighter security
on all of their subsidiaries. Profuse apologies were offered to the affected customers and ¥4 billion (£20
million) were paid in compensation. Furthermore, Softbank BB's president, Masayoshi Son, announced that
he and other senior executives would take a 50 per cent pay cut for the next six months. In this example,
the threat was to reduce the value of an organisation by revealing information that should have been a
well-kept secret – scarce-within as well as scarce-without. It cost the company £20 million in compensation
and affected its reputation. Example 2: UCSF Medical Center In October 2002, the University of California,
San Francisco (UCSF) Medical Center received an email message from someone who claimed to be a doctor
working in Pakistan and who threatened to release patient records onto the internet unless money owing to
her was paid. Several confidential medical transcripts were attached to the email. UCSF staff were
mystified; they had no dealings in Pakistan and certainly did not employ the person who sent the email.
The Medical Center began an immediate investigation, concentrating on their transcription service, which
had been outsourced to Transcription Stat, based in nearby Sausalito. It transpired that Transcription Stat
farmed out work to some fifteen subcontractors scattered across America. One of these subcontractors was
Florida-based Sonya Newburn, who in turn employed further subcontractors, including one Tom Spires of
Texas. No one at Transcription Stat realised that Spires also employed his own subcontractors, including the
sender of the email. The sender alleged that Spires owed her money, and had not paid her for some time.
Newburn eventually agreed to pay the $500 that the email sender claimed was owed to her. In return the
sender informed UCSF that she had had no intention of publicising personal information and had destroyed
any records in her care. Of course, there is no way to prove that the records have actually been destroyed.
Naturally, you would not wish your own medical records to be publicised: they should be scarce. This threat
cost the organisation little in money terms, but how much in reputation? Just what is a reputation worth?
Or, to put it another way, how much is it worth paying in information security to protect a reputation?
Example 3: Logic bombs In May 2000, Timothy Lloyd was found guilty of causing between $10 million and
$12 million worth of damage to Omega Engineering, an American company specialising in precision
engineering for clients, including the US Navy and NASA. Lloyd had been employed with Omega for 11
years, rising to the post of system administrator, and was responsible not only for the day-to-day operation
of the company's computers but also for their disaster-recovery process. In 1996, Lloyd became aware that
he was about to be sacked and wrote a logic bomb – a six-line destructive program – which he installed on
Omega's servers. Ten days later, Lloyd was dismissed and his logic bomb exploded, destroying company
contracts and proprietary software used by Omega's manufacturing tools. Although Omega had instituted a
backup procedure, Lloyd's account privileges had allowed him to disable these recovery systems. The
damage done by his logic bomb was permanent. When the logic bomb ‘exploded’ it wiped out information
that was needed for the company to operate. As a result of lost business, Omega was forced to lay off
some 80 employees and found itself rewriting the very software which had once given it a competitive edge
over its rivals. In effect, what Lloyd managed to do, in the most decisive way possible, was to prevent vital
information being shared. Activity 2 Read the Foreword to IT Governance: A Manager's Guide to Data
Security & BS 7799/ISO 177799 (the Set Book), written by Nigel Turnbull. (a) Write down the three reasons
Turnbull gives for companies recognising the need to protect information. (b) Write down two of the ways
in which this unit should be valuable to you and your own organisation. Guidance You may wish to discuss
your answer to (b) with other learners, using the Comments section below.
2.3 What is information security management?
Information security management is the process by which the value of each of an organisation's information assets is assessed and, if appropriate, protected on an ongoing basis. The information an organisation holds will be stored, used and transmitted using various media, some of which will be tangible – paper, for example – and some intangible – such as the ideas in employees' minds. Preserving the value of information is mainly a question of protecting the media in which it is contained.
Building an information security management system (as we present it in this unit) is achieved through the systematic assessment of the systems, technologies and media used for information assets, the appraisal of the costs of security breaches, and the development and deployment of countermeasures to threats. Put simply, information security management recognises the most vulnerable spots in an organisation and builds armour-plating to protect them.
The diversity of the media used for an organisation's information assets is just one of the difficulties to be overcome in building an information security management system. Among other difficulties are the following.
Effective information security measures often run counter to the mission of an organisation. For instance, the safest way to secure a computer and the information on it is to allow no access to it at all!
The requirement to respect the needs of the users of the organisation's information, so that they can continue to do their jobs properly.
We can deduce that no single solution can address all possible security concerns. The only strategy is to engineer a fit-for-purpose solution that achieves a suitable balance between risks and protection against them.
As with all management systems, the engineering of a fit-for-purpose information security management system is achieved through hard work. Part of the hard work is, of course, an understanding of the technologies involved – we provide the necessary details in this unit. Other major tasks are identifying the needs of the different stakeholders and ensuring coverage of every procedure and policy that involves the development, transformation or dissemination of sensitive information.
Thus, information security management is a development activity analogous to the development of software, and we shall present in this way throughout this unit.
3 Information security imperatives and incentives 3.1 Introduction
The design of a successful information security policy and strategy for any organisation requires an assessment of a number of key factors. These factors can be categorised as either imperatives or incentives . Imperatives are pressures that force you to act. Incentives are the rewards and opportunities that arise from acting.
In Subsection 3.2 we examine the main imperatives confronting organisations. These arise either from
2.3 What is information security management?
Information security management is the process by which the value of each of an organisation's information assets is assessed and, if appropriate, protected on an ongoing basis. The information an organisation holds will be stored, used and transmitted using various media, some of which will be tangible – paper, for example – and some intangible – such as the ideas in employees' minds. Preserving the value of information is mainly a question of protecting the media in which it is contained.
Building an information security management system (as we present it in this unit) is achieved through the systematic assessment of the systems, technologies and media used for information assets, the appraisal of the costs of security breaches, and the development and deployment of countermeasures to threats. Put simply, information security management recognises the most vulnerable spots in an organisation and builds armour-plating to protect them.
The diversity of the media used for an organisation's information assets is just one of the difficulties to be overcome in building an information security management system. Among other difficulties are the following.
Effective information security measures often run counter to the mission of an organisation. For instance, the safest way to secure a computer and the information on it is to allow no access to it at all!
The requirement to respect the needs of the users of the organisation's information, so that they can continue to do their jobs properly.
We can deduce that no single solution can address all possible security concerns. The only strategy is to engineer a fit-for-purpose solution that achieves a suitable balance between risks and protection against them.
As with all management systems, the engineering of a fit-for-purpose information security management system is achieved through hard work. Part of the hard work is, of course, an understanding of the technologies involved – we provide the necessary details in this unit. Other major tasks are identifying the needs of the different stakeholders and ensuring coverage of every procedure and policy that involves the development, transformation or dissemination of sensitive information.
Thus, information security management is a development activity analogous to the development of software, and we shall present in this way throughout this unit.
3 Information security imperatives and incentives 3.1 Introduction
The design of a successful information security policy and strategy for any organisation requires an assessment of a number of key factors. These factors can be categorised as either imperatives or incentives . Imperatives are pressures that force you to act. Incentives are the rewards and opportunities that arise from acting.
In Subsection 3.2 we examine the main imperatives confronting organisations. These arise either from
threats to information assets or from the obligation to comply with UK law and with codes governing the
management and control of public and private assets and the protection of the interests of stakeholders.
We place all of these imperatives in a wider framework of ethical practice in information management.
In Subsection 3.3 we look briefly at some of the incentives for engaging in information security management. Incentives mainly come in the form of opportunities to reduce the cost of existing ways of working and new options for pursuing an organisation's objectives.
Skip Contents
Contents
Introduction
Learning outcomes
1 Why is information security important?
2 Information, information security and information security management 3 Information security imperatives and incentives
3.1 Introduction
Current section: 3.2 Imperatives 3.2.1 Threats
3.2.2. Legislation
3.2.3. Regulation and codes of conduct 3.2.4. Ethics
3.3 Incentives
4 Information assets
5 Planning an information security management system 6 Risk assessment and asset identification
7 The PDCA cycle
8 Summary
References
Acknowledgements
View as single page
3.2 Imperatives
Imperatives generally arise from three sources:
a. threats: companies that depend on information and the technologies that carry it have to protect these resources from a wide range of threats;
b. legislation: many countries have enacted legislation to govern the storage and use of information;
c. regulation: many countries have regulations governing the management and control of public and private assets.
In Subsection 3.3 we look briefly at some of the incentives for engaging in information security management. Incentives mainly come in the form of opportunities to reduce the cost of existing ways of working and new options for pursuing an organisation's objectives.
Skip Contents
Contents
Introduction
Learning outcomes
1 Why is information security important?
2 Information, information security and information security management 3 Information security imperatives and incentives
3.1 Introduction
Current section: 3.2 Imperatives 3.2.1 Threats
3.2.2. Legislation
3.2.3. Regulation and codes of conduct 3.2.4. Ethics
3.3 Incentives
4 Information assets
5 Planning an information security management system 6 Risk assessment and asset identification
7 The PDCA cycle
8 Summary
References
Acknowledgements
View as single page
3.2 Imperatives
Imperatives generally arise from three sources:
a. threats: companies that depend on information and the technologies that carry it have to protect these resources from a wide range of threats;
b. legislation: many countries have enacted legislation to govern the storage and use of information;
c. regulation: many countries have regulations governing the management and control of public and private assets.
Chapters 1 and 2 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 highlight
some of the main imperatives facing organisations in the UK. Chapter 1 presents a case for action based
upon likely threats and the need to comply with current legislation. Citing industry surveys, it gives an
account of the prevalence of threats, introducing two specific categories: cybercrime and cyberwar.
Chapter 2 expands the authors' case, describing the obligation of many UK organisations to comply with
the Combined Code, the recommendations of the Turnbull Report and the public-sector equivalents of
these. You will be asked to read these chapters as you study this section.6Skip
ContentsContentsIntroduction4Learning outcomes7Learning outcomes71 Why is information security
important?82 Information, information security and information security management92.1 What is
information?92.2 What is information security?102.3 What is information security management?113
Information security imperatives and incentives123.1 Introduction12Current section: 3.2 Imperatives3.2.1
Threats133.2.2. Legislation143.2.3. Regulation and codes of conduct153.2.4. Ethics163.3 Incentives174
Information assets184.1 Introduction184.2 Information in an e-business age194.3 Scarcity and
shareability204.3.1 Confidentiality, integrity and availability215 Planning an information security
management system225.1 Introduction225.2 The Standard's approach to planning an ISMS235.2.1 ISMS
documentation245.2.2 Asset identification255.2.3 Risk assessment265.2.4 Risk treatment27Other
approaches to information security management285.3 Setting up an ISMS295.4 ISMS
documentation305.4.1 Context, scope and information security policy315.4.2 The Statement of
Applicability326 Risk assessment and asset identification336.1 Introduction336.2 A systematic approach to
risk assessment346.2.1 Threats, outcomes and impacts356.2.2 Threats and vulnerabilities366.2.3
Likelihood, impact and risk376.3 Asset identification387 The PDCA cycle398
Summary40References41Acknowledgements42View as single page43Frequently asked questions -
intellectual property44 3.2 Imperatives Imperatives generally arise from three sources: threats: companies
that depend on information and the technologies that carry it have to protect these resources from a wide
range of threats; legislation: many countries have enacted legislation to govern the storage and use of
information; regulation: many countries have regulations governing the management and control of public
and private assets. Chapters 1 and 2 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO
177799 highlight some of the main imperatives facing organisations in the UK. Chapter 1 presents a case
for action based upon likely threats and the need to comply with current legislation. Citing industry surveys,
it gives an account of the prevalence of threats, introducing two specific categories: cybercrime and
cyberwar. Chapter 2 expands the authors' case, describing the obligation of many UK organisations to
comply with the Combined Code, the recommendations of the Turnbull Report and the public-sector
equivalents of these. You will be asked to read these chapters as you study this section.
3.2.2. Legislation
In Chapter 1 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799(the Set Book), the section entitled ‘Legislation’ lists the UK legislation that affects the management of information security. One way to appreciate the relevance of legislation to an organisation is to identify the rights and entitlements it establishes and then to establish whether the organisation or its stakeholders have an interest in those rights and entitlements. For each law considered, Table 1 identifies, in general terms, the legal rights established and the parties whose interests are protected by it.3.2.2. Legislation In Chapter 1 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book), the section entitled ‘Legislation’ lists the UK legislation that affects the management of information security. One way to appreciate the relevance of legislation to an organisation is to identify the rights and entitlements it establishes and then to establish whether the organisation or its stakeholders have an interest in those rights and entitlements. For each law considered, Table 145 identifies, in general terms, the legal rights
3.2.2. Legislation
In Chapter 1 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799(the Set Book), the section entitled ‘Legislation’ lists the UK legislation that affects the management of information security. One way to appreciate the relevance of legislation to an organisation is to identify the rights and entitlements it establishes and then to establish whether the organisation or its stakeholders have an interest in those rights and entitlements. For each law considered, Table 1 identifies, in general terms, the legal rights established and the parties whose interests are protected by it.3.2.2. Legislation In Chapter 1 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book), the section entitled ‘Legislation’ lists the UK legislation that affects the management of information security. One way to appreciate the relevance of legislation to an organisation is to identify the rights and entitlements it establishes and then to establish whether the organisation or its stakeholders have an interest in those rights and entitlements. For each law considered, Table 145 identifies, in general terms, the legal rights
established and the parties whose interests are protected by it.
Chapter 17 NIST
some way (usually through physical and
system-basedcontrols). Computer-based
access controls are called logical access
controls. Logical access controls can
prescribe not only who or what (e.g., in the
case of a process) is to have access to a
specific system resource but also the type of
access that is permitted. These controls may
be built into the operating system, may be
incorporated into applications programs or
major utilities (e.g., database management
systems or communications systems), or may be implemented through add-on security packages. Logical access controls may be implemented internally to the computer system being protected or may be implemented in external devices.
114
The term computer resources includes information as well as system resources, such as programs, subroutines, and hardware (e.g., modems, communications lines).
115
Users need not be actual human users. They could include, for example, a program or another computer requesting use of a system resource.
The term access is often confused with authorization and authentication.
Access is the ability to do something with a computer resource. This usually refers to a technical ability (e.g., read, create, modify, or delete a file, execute a program, or use an external connection).
Authorization is (he permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner.
Authentication is proving (to some reasonable degree) that users are who they claim to be.
^^^mm^^^mmm^m^mm^m^^^m^^^^ 193
system-basedcontrols). Computer-based
access controls are called logical access
controls. Logical access controls can
prescribe not only who or what (e.g., in the
case of a process) is to have access to a
specific system resource but also the type of
access that is permitted. These controls may
be built into the operating system, may be
incorporated into applications programs or
major utilities (e.g., database management
systems or communications systems), or may be implemented through add-on security packages. Logical access controls may be implemented internally to the computer system being protected or may be implemented in external devices.
114
The term computer resources includes information as well as system resources, such as programs, subroutines, and hardware (e.g., modems, communications lines).
115
Users need not be actual human users. They could include, for example, a program or another computer requesting use of a system resource.
The term access is often confused with authorization and authentication.
Access is the ability to do something with a computer resource. This usually refers to a technical ability (e.g., read, create, modify, or delete a file, execute a program, or use an external connection).
Authorization is (he permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner.
Authentication is proving (to some reasonable degree) that users are who they claim to be.
^^^mm^^^mmm^m^mm^m^^^m^^^^ 193
IV. TechnicalControls
Logical access controls can help protect:
operating systems and other system software from
Logical access controls can help protect:
operating systems and other system software from
unauthorized modification or manipulation (and thereby help ensure the system's integrity
and availability);
the integrity and availability of information by restricting the
Controlling access is normally thought of as applying to human users (e.g., will technical access be provided for user JSMITH to the file "payroll.dat") but access can be provided to other computer systems. Also, access controls are often incorrectly thoughtofasonlyapplyingtofiles. However,they also protect other system resources such as the ability to place an outgoing long-distance phone call though a system modem (as well as, perhaps, the information thatcanbesentoversuchacall). Accesscontrols can also apply to specific functions within an application and to specific fields of a file.
•
confidential information from being disclosed to unauthorized individuals. number of users and processes with access; and
This chapter first discusses basic criteria that can be used to decide whether a particular user should be granted access to a particular system resource. It then reviews the use of these criteria by those who set policy (usually system-specific policy), commonly used technical mechanisms for implementing logical access control, and issues related to administration of access controls.
17.1 Access Criteria
In deciding whether to permit someone to use a system resource logical access controls examine whether the user is authorized for thetypeofaccessrequested. (Notethatthis inquiry is usually distinct from the question of whether the user is authorized to use the system at all, which is usually addressed in an identification and authentication process.)
The system uses various criteria to determine
if a request for access will be granted. They
are typically used in some combination. Many
of the advantages and complexities involved in implementing and managing access control are related to the different kinds of user accesses supported.
When determining what kind of technical access to allow to specific data, programs, devices, and resources, it is important to consider who will have access and what kind of access they will be allowed. It may be desirable for everyone in the organization to haveaccesstosomeinformationonthesystem,such as the data displayed on an organization's daily calendarofnonconfidentialmeetings. Theprogram that formats and displays the calendar, however, might be modifiable by only a very few system administrators, while the operating system controlling that program might be directly accessible by still fewer.
the integrity and availability of information by restricting the
Controlling access is normally thought of as applying to human users (e.g., will technical access be provided for user JSMITH to the file "payroll.dat") but access can be provided to other computer systems. Also, access controls are often incorrectly thoughtofasonlyapplyingtofiles. However,they also protect other system resources such as the ability to place an outgoing long-distance phone call though a system modem (as well as, perhaps, the information thatcanbesentoversuchacall). Accesscontrols can also apply to specific functions within an application and to specific fields of a file.
•
confidential information from being disclosed to unauthorized individuals. number of users and processes with access; and
This chapter first discusses basic criteria that can be used to decide whether a particular user should be granted access to a particular system resource. It then reviews the use of these criteria by those who set policy (usually system-specific policy), commonly used technical mechanisms for implementing logical access control, and issues related to administration of access controls.
17.1 Access Criteria
In deciding whether to permit someone to use a system resource logical access controls examine whether the user is authorized for thetypeofaccessrequested. (Notethatthis inquiry is usually distinct from the question of whether the user is authorized to use the system at all, which is usually addressed in an identification and authentication process.)
17.1.1 Identity
It is probably fair to say that the majority of access controls are based upon the identity of
the user
The system uses various criteria to determine
if a request for access will be granted. They
are typically used in some combination. Many
of the advantages and complexities involved in implementing and managing access control are related to the different kinds of user accesses supported.
When determining what kind of technical access to allow to specific data, programs, devices, and resources, it is important to consider who will have access and what kind of access they will be allowed. It may be desirable for everyone in the organization to haveaccesstosomeinformationonthesystem,such as the data displayed on an organization's daily calendarofnonconfidentialmeetings. Theprogram that formats and displays the calendar, however, might be modifiable by only a very few system administrators, while the operating system controlling that program might be directly accessible by still fewer.
wmm^^ammma^m^mmm—mmimammmmm^m^mi^
194
(either human or process), which is usuaDy obtained through identification and authentication (I&A). (See Chapter 16.) The identity is usually unique, to support individual accountability,
(either human or process), which is usuaDy obtained through identification and authentication (I&A). (See Chapter 16.) The identity is usually unique, to support individual accountability,
but can be a group identification or can even be anonymous. For example, public information
dissemination systems may serve a large group called "researchers" in which the individual
researchers are not known.
17.1.2 Roles
Access to information may also be controlled by the job assignment or function (i.e., the role) of the user who is seeking access. Examples of roles include data entry clerk, purchase officer, project leader, programmer, andtechnicaleditor. Accessrightsare grouped by role name, and the use of resources is restricted to individuals authorizedtoassumetheassociatedrole. An individual may be authorized for more than one role, but may be required to act in only a single role at a time. Changing roles may require logging out and then in again, or entering a role-changing command. Note that use of roles is not the same as shared-use accounts. Anindividualmaybeassigneda standard set of rights of a shipping department data entry clerk, for example, but the account would still be tied to that individual's identity to allow for auditing. (See Chapter 18.)
Many systems already support a small number of special-purpose roles, such as System Administrator or Operator. For example, an individual who is logged on in the role of a System Administrator can perform operations that would be denied to the same individual acting in the role of an ordinary user.
Recently, the use of roles has been expanded beyond systemtaskstoapplication-orientedactivities. For example, a user in a company could have an Order Taking role, and would be able to collect and enter customer billing information, check on availability of particular items, request shipment of items, and issue invoices. In addition, there could be an Accounts Receivable role, which would receive payments and creditthemtoparticularinvoices. AShippingrole, could then be responsible for shipping products and updatingtheinventory. Toprovideadditional security, constraints could be imposed so a single user would never be simultaneously authorized to assume all three roles. Constraints ofthis kind are sometimes referred to as separation ofduty constraints.
Theuseofrolescanbeaveryeffectivewayofprovidingaccesscontrol. Theprocessofdefining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
17.1.3 Location
Accesstoparticularsystemresourcesmayalsobebaseduponphysicalorlogicallocation. For example, in a prison, all users in areas to which prisoners are physically permitted may be limited to read- only access. Changing or deleting is limited to areas to which prisoners are denied physical access. The same authorized users (e.g., prison guards) would operate under significantly different logical access controls, depending upon their physical location. Similarly, users can be restricted based upon network addresses (e.g., users from sites within a given organization may be permitted greater access than those from outside).
195
17. LogicalAccessControls
17.1.2 Roles
Access to information may also be controlled by the job assignment or function (i.e., the role) of the user who is seeking access. Examples of roles include data entry clerk, purchase officer, project leader, programmer, andtechnicaleditor. Accessrightsare grouped by role name, and the use of resources is restricted to individuals authorizedtoassumetheassociatedrole. An individual may be authorized for more than one role, but may be required to act in only a single role at a time. Changing roles may require logging out and then in again, or entering a role-changing command. Note that use of roles is not the same as shared-use accounts. Anindividualmaybeassigneda standard set of rights of a shipping department data entry clerk, for example, but the account would still be tied to that individual's identity to allow for auditing. (See Chapter 18.)
Many systems already support a small number of special-purpose roles, such as System Administrator or Operator. For example, an individual who is logged on in the role of a System Administrator can perform operations that would be denied to the same individual acting in the role of an ordinary user.
Recently, the use of roles has been expanded beyond systemtaskstoapplication-orientedactivities. For example, a user in a company could have an Order Taking role, and would be able to collect and enter customer billing information, check on availability of particular items, request shipment of items, and issue invoices. In addition, there could be an Accounts Receivable role, which would receive payments and creditthemtoparticularinvoices. AShippingrole, could then be responsible for shipping products and updatingtheinventory. Toprovideadditional security, constraints could be imposed so a single user would never be simultaneously authorized to assume all three roles. Constraints ofthis kind are sometimes referred to as separation ofduty constraints.
Theuseofrolescanbeaveryeffectivewayofprovidingaccesscontrol. Theprocessofdefining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
17.1.3 Location
Accesstoparticularsystemresourcesmayalsobebaseduponphysicalorlogicallocation. For example, in a prison, all users in areas to which prisoners are physically permitted may be limited to read- only access. Changing or deleting is limited to areas to which prisoners are denied physical access. The same authorized users (e.g., prison guards) would operate under significantly different logical access controls, depending upon their physical location. Similarly, users can be restricted based upon network addresses (e.g., users from sites within a given organization may be permitted greater access than those from outside).
195
17. LogicalAccessControls
IV. TechnicalControls
17.1.4 Time
Time-of-dayorday-of-weekrestrictionsarecommonlimitationsonaccess. Forexample,useof confidential personnel files may be allowed only during normal working hours - and maybe
Time-of-dayorday-of-weekrestrictionsarecommonlimitationsonaccess. Forexample,useof confidential personnel files may be allowed only during normal working hours - and maybe
denied before 8:00 a.m. and after 6:00 p.m. and all day during weekends and holidays.
17.1.5 Transaction
Another approach to access control can be used by organizations handling transactions (e.g., accountinquiries). Phonecallsmayfirstbeansweredbyacomputerthatrequeststhatcallerskey intheiraccountnumberandperhapsaPIN. Someroutinetransactionscanthenbemadedirectly, butmorecomplexonesmayrequirehumanintervention. Insuchcases,thecomputer,which already knows the account number, can grant a clerk, for example, access to a particular account
for the duration of the transaction. When completed, the access authorization is terminated. This means that users have no choice in which accounts they have access to, and can reduce the potential for mischief. It also eliminates employee browsing of accounts (e.g., those of celebrities or their neighbors) and can thereby heighten privacy.
17.1.6 Service Constraints
Service constraints refer to those restrictions that depend upon the parameters that may arise during use of the application or that are preestablished by the resource owner/manager. For example, a particular software package may only be licensed by the organization for five users at a time. Access would be denied for a sixth user, even if the user were otherwise authorized to use the application. Another type of service constraint is based upon application content or numerical thresholds. Forexample,anATMmachinemayrestricttransfersofmoneybetweenaccountsto certaindollarlimitsormaylimitmaximumATMwithdrawalsto$500perday. Accessmayalso be selectively permitted based on the type of service requested. For example, users of computers on a network may be permitted to exchange electronic mail but may not be allowed to log in to each others' computers.
17.1.7 Common Access Modes
In addition to considering criteria for when access should occur, it is also necessary to consider
the types of access, or access modes. The concept of access modes is fundamental to access
control. Commonaccessmodes,whichcanbeusedinbothoperatingorapplicationsystems,
6 include the following:"
116
These access modes are described generically; exact definitions and capabilities will vary from implementation to implementation. Readers are advised to consult their system and application documentation.
196
Another approach to access control can be used by organizations handling transactions (e.g., accountinquiries). Phonecallsmayfirstbeansweredbyacomputerthatrequeststhatcallerskey intheiraccountnumberandperhapsaPIN. Someroutinetransactionscanthenbemadedirectly, butmorecomplexonesmayrequirehumanintervention. Insuchcases,thecomputer,which already knows the account number, can grant a clerk, for example, access to a particular account
for the duration of the transaction. When completed, the access authorization is terminated. This means that users have no choice in which accounts they have access to, and can reduce the potential for mischief. It also eliminates employee browsing of accounts (e.g., those of celebrities or their neighbors) and can thereby heighten privacy.
17.1.6 Service Constraints
Service constraints refer to those restrictions that depend upon the parameters that may arise during use of the application or that are preestablished by the resource owner/manager. For example, a particular software package may only be licensed by the organization for five users at a time. Access would be denied for a sixth user, even if the user were otherwise authorized to use the application. Another type of service constraint is based upon application content or numerical thresholds. Forexample,anATMmachinemayrestricttransfersofmoneybetweenaccountsto certaindollarlimitsormaylimitmaximumATMwithdrawalsto$500perday. Accessmayalso be selectively permitted based on the type of service requested. For example, users of computers on a network may be permitted to exchange electronic mail but may not be allowed to log in to each others' computers.
17.1.7 Common Access Modes
In addition to considering criteria for when access should occur, it is also necessary to consider
the types of access, or access modes. The concept of access modes is fundamental to access
control. Commonaccessmodes,whichcanbeusedinbothoperatingorapplicationsystems,
6 include the following:"
116
These access modes are described generically; exact definitions and capabilities will vary from implementation to implementation. Readers are advised to consult their system and application documentation.
196
Read access provides users with the capability to view information in a system resource
(such as a file, certain records, certain fields, or some combination thereof), but not to alter
it, such asdeletefrom,addto,ormodifyinanyway. Onemustassumethatinformationcanbe copied and
printed if it can be read (although perhaps only manually, such as by using a print screen
function and retyping the information into another file).
Write access allows users to add to, modify, or delete information in system resources (e.g.,
files, records, programs). Normally user have read access to anything they have write access
to.
Execute privilege allows users to run programs.
117 Delete access allows users to erase system resources (e.g., files, records, fields, programs).
Note that if users have write access but not delete access, they could overwrite the field or file with gibberish or otherwise inaccurate information and, in effect, delete the information.
Other specialized access modes (more often found in applications) include: Create access allows users to create new files, records, or fields. Search access allows users to list the files in a directory.
Of course, these criteria can be used in conjunction with one another. For example, an organization may give authorized individuals write access to an application at any time from within the office but only read access during normal working hours if they dial-in.
Depending upon the technical mechanisms available to implement logical access control, a wide varietyofaccesspermissionsandrestrictionsarepossible. Nodiscussioncanpresentall possibilities.
17.2 Policy: The Impetus for Access Controls
Logical access controls are a technical means of implementing policy decisions. Policy is made by a management official responsible for a particular system, application, subsystem, or group of systems. The development of an access control policy may not be an easy endeavor. It requires balancing the often-competing interests of security, operational requirements, and user- friendliness. Inaddition,technicalconstraintshavetobeconsidered.
117
"Deleting" information does not necessarily physically remove the data from the storage media. This can have serious implications for information that must be kept confidential. See "Disposition of Sensitive Automated Information," CSL Bulletin, NIST, October 1992.
197
17. LogicalAccessControls
Execute privilege allows users to run programs.
117 Delete access allows users to erase system resources (e.g., files, records, fields, programs).
Note that if users have write access but not delete access, they could overwrite the field or file with gibberish or otherwise inaccurate information and, in effect, delete the information.
Other specialized access modes (more often found in applications) include: Create access allows users to create new files, records, or fields. Search access allows users to list the files in a directory.
Of course, these criteria can be used in conjunction with one another. For example, an organization may give authorized individuals write access to an application at any time from within the office but only read access during normal working hours if they dial-in.
Depending upon the technical mechanisms available to implement logical access control, a wide varietyofaccesspermissionsandrestrictionsarepossible. Nodiscussioncanpresentall possibilities.
17.2 Policy: The Impetus for Access Controls
Logical access controls are a technical means of implementing policy decisions. Policy is made by a management official responsible for a particular system, application, subsystem, or group of systems. The development of an access control policy may not be an easy endeavor. It requires balancing the often-competing interests of security, operational requirements, and user- friendliness. Inaddition,technicalconstraintshavetobeconsidered.
117
"Deleting" information does not necessarily physically remove the data from the storage media. This can have serious implications for information that must be kept confidential. See "Disposition of Sensitive Automated Information," CSL Bulletin, NIST, October 1992.
197
17. LogicalAccessControls
IV. TechnicalControls
This chapter discusses issues relating to the technical implementation of logical access controls - not the actual policy decisions as to whoshouldhavewhattypeofaccess. These decisions are typically included in system- specific policy, as discussed in Chapters 5 and
This chapter discusses issues relating to the technical implementation of logical access controls - not the actual policy decisions as to whoshouldhavewhattypeofaccess. These decisions are typically included in system- specific policy, as discussed in Chapters 5 and
10.
Once these policy decisions have been made, they will be implemented (or enforced)
throughlogicalaccesscontrols. Indoingso, it is important to realize that the capabilities of various
types of technical mechanisms (for
A few simple examples of specific policy issues are provided below; it is important to recognize, however, that comprehensive system-specific policy is significantly more complex.
1 The director of an organization's personnel office could decide that all clerks can update all files, to increasetheefficiencyoftheoffice. Orthedirector could decide that clerks can only view and update specific files, to help prevent information browsing.
A few simple examples of specific policy issues are provided below; it is important to recognize, however, that comprehensive system-specific policy is significantly more complex.
1 The director of an organization's personnel office could decide that all clerks can update all files, to increasetheefficiencyoftheoffice. Orthedirector could decide that clerks can only view and update specific files, to help prevent information browsing.
2. Inadisbursingoffice,asi^ngleindividualisusually prohibited from both requesting and authorizing that a particular
payment be made. This is a policy decision taken to reduce the likelihood of embezzlement and fraud.
17.3 Technical
logical access control) vary greatly. 118
Implementation Mechanisms
thesystemitself. Inthegovernment,forexample,the senior information resources management official may decide that agency systems that process information protected by the Privacy Act may not be used to process public-access database applications.
Many mechanisms have been developed to
provide internal and external access controls,
and they vary significantly in terms of
precision, sophistication, and cost. These
methods are not mutually exclusive and are often employed in combination. Managers need to analyze their organization's protection requirements to select the most appropriate, cost- effective logical access controls.
17.3.1 Internal Access Controls
Internal access controls are a logical means of separating what defined users (or user groups) can or cannot do with system resources. Five methods of internal access control are discussed in this section: passwords, encryption, access control lists, constrained user interfaces, and labels.
17.3.1.1 Passwords
Passwordsaremostoftenassociatedwithuserauthentication. (SeeChapter16.) However,they are also used to protect data and applications on many systems, including PCs. For instance, an accounting application may require a password to access certain financial data or to invoke a
logical access control) vary greatly. 118
Implementation Mechanisms
thesystemitself. Inthegovernment,forexample,the senior information resources management official may decide that agency systems that process information protected by the Privacy Act may not be used to process public-access database applications.
Many mechanisms have been developed to
provide internal and external access controls,
and they vary significantly in terms of
precision, sophistication, and cost. These
methods are not mutually exclusive and are often employed in combination. Managers need to analyze their organization's protection requirements to select the most appropriate, cost- effective logical access controls.
17.3.1 Internal Access Controls
Internal access controls are a logical means of separating what defined users (or user groups) can or cannot do with system resources. Five methods of internal access control are discussed in this section: passwords, encryption, access control lists, constrained user interfaces, and labels.
17.3.1.1 Passwords
Passwordsaremostoftenassociatedwithuserauthentication. (SeeChapter16.) However,they are also used to protect data and applications on many systems, including PCs. For instance, an accounting application may require a password to access certain financial data or to invoke a
3. Decisionsmayalsobemaderegardingaccessto
118
Some policies may not be technically implementable; appropriate technical controls may simply not exist.
198
^^^^^^^^^^^^^^^m
^^^^^^^^^^^^^^^m
restricted application (or function of an application)
119
Password-based access control is often inexpensive because it is already included in a
Password-based access control is often inexpensive because it is already included in a
largevarietyofapplications. However,users
may find it difficult to remember additional
application passwords, which, if written down
or poorly chosen, can lead to their
compromise. Password-based access controls for PC applications are often easy to circumvent if theuserhasaccesstotheoperatingsystem(andknowledgeofwhattodo). Asdiscussedin Chapter 16, there are other disadvantages to using passwords.
17.3.1.2 Encryption
Another mechanism that can be used for logical access control is encryption. Encrypted information can only be decrypted by those possessing the appropriate cryptographic key. This is especially useful if strong physical access controls cannot be provided, such as for laptops or floppy diskettes. Thus, for example, if information is encrypted on a laptop computer, and the laptop is stolen, the information cannot be accessed. While encryption can provide strong access control, it is accompanied by the need for strong key management. Use of encryption may also affectavailability. Forexample,lostorstolenkeysorread/writeerrorsmaypreventthe decryptionoftheinformation. (Seethecryptographychapter.)
17.3.1.3 Access Control Lists
Access Control Lists (ACLs) refer to a register of: (1) users (including groups, machines, processes) who have been given permission to use a particular system resource, and (2) the types of access they have been permitted.
ACLsvaryconsiderablyintheircapabilityandflexibility. Someonlyallowspecificationsfor certain pre-set groups (e.g., owner, group, and world) while more advanced ACLs allow much more flexibility, such as user-defined groups. Also, more advanced ACLs can be used to explicitly deny access to a particular individual or group. With more advanced ACLs, access can be at the discretion of the policymaker (and implemented by the security administrator) or individual user, depending upon how the controls are technically implemented.
Elementary ACLs. Elementary ACLs (e.g., "permission bits") are a widely available means of providing access control on multiuser systems. In this scheme, a short, predefined list of the access rights to files or other system resources is maintained.
1 19
Note that this password is normally in addition to the one supplied initially to log onto the system.
17. LogicalAccessControls
The use of passwords as a means of access control can result in a proliferation of passwords that can reduce ov&m security..
!«>««»——-—----- ., m, 199
may find it difficult to remember additional
application passwords, which, if written down
or poorly chosen, can lead to their
compromise. Password-based access controls for PC applications are often easy to circumvent if theuserhasaccesstotheoperatingsystem(andknowledgeofwhattodo). Asdiscussedin Chapter 16, there are other disadvantages to using passwords.
17.3.1.2 Encryption
Another mechanism that can be used for logical access control is encryption. Encrypted information can only be decrypted by those possessing the appropriate cryptographic key. This is especially useful if strong physical access controls cannot be provided, such as for laptops or floppy diskettes. Thus, for example, if information is encrypted on a laptop computer, and the laptop is stolen, the information cannot be accessed. While encryption can provide strong access control, it is accompanied by the need for strong key management. Use of encryption may also affectavailability. Forexample,lostorstolenkeysorread/writeerrorsmaypreventthe decryptionoftheinformation. (Seethecryptographychapter.)
17.3.1.3 Access Control Lists
Access Control Lists (ACLs) refer to a register of: (1) users (including groups, machines, processes) who have been given permission to use a particular system resource, and (2) the types of access they have been permitted.
ACLsvaryconsiderablyintheircapabilityandflexibility. Someonlyallowspecificationsfor certain pre-set groups (e.g., owner, group, and world) while more advanced ACLs allow much more flexibility, such as user-defined groups. Also, more advanced ACLs can be used to explicitly deny access to a particular individual or group. With more advanced ACLs, access can be at the discretion of the policymaker (and implemented by the security administrator) or individual user, depending upon how the controls are technically implemented.
Elementary ACLs. Elementary ACLs (e.g., "permission bits") are a widely available means of providing access control on multiuser systems. In this scheme, a short, predefined list of the access rights to files or other system resources is maintained.
1 19
Note that this password is normally in addition to the one supplied initially to log onto the system.
17. LogicalAccessControls
The use of passwords as a means of access control can result in a proliferation of passwords that can reduce ov&m security..
!«>««»——-—----- ., m, 199
IV. TechnicalControls
Elementary ACLs are typically based on the conceptsofowner,group,andworld. For each of these, a set of access modes (typically chosen from read, write, execute, and delete) is specified by the owner (or custodian) of the resource. The owner is usually its creator, though in some
Elementary ACLs are typically based on the conceptsofowner,group,andworld. For each of these, a set of access modes (typically chosen from read, write, execute, and delete) is specified by the owner (or custodian) of the resource. The owner is usually its creator, though in some
cases, ownership of resources may be automatically assigned to project administrators,
regardless of the identity of the creator. File owners often have all privileges for their
resources.
ExampleofElementaryACLforthefile"payroll"
Owner: PAYMANAGER
Access: Read, Write, Execute, Delete
Group: COMPENSATION-OFFICE Access: Read, Write, Execute, Delete 'World" Access: None
In addition to the privileges assigned to the owner, each resource is associated with a named groupofusers. Userswhoaremembersofthegroupcanbegrantedmodesofaccessdistinct from nonmembers, who belong to the rest of the "world" that includes all of the system's users. User groups may be arranged according to departments, projects, or other ways appropriate for theparticularorganization. Forexample,groupsmaybeestablishedformembersofthe Personnel and Accounting departments. The system administrator is normally responsible for technically maintaining and changing the membership of a group, based upon input from the owners/custodians of the particular resources to which the groups may be granted access.
As the name implies, however, the technology isnotparticularlyflexible. Itmaynotbe possible to explicitly deny access to an individual who is a member of the file's group. Also, it may not be possible for two groups to easily share information (without exposing it to the "world"), since the list is predefined to only include one group. If two groups wish to share information, an owner may make the file available to be read by "world." This may disclose information that should be restricted. Unfortunately, elementary ACLs have no mechanism to easily permit such sharing.
AdvancedACLs. LikeelementaryACLs, advanced ACLs provide a form of access controlbaseduponalogicalregistry. They do, however, provide finer precision in control.
Sinceonewouldpresumethatnoonewouldhave access without being granted access, why would it be desirable to explicitly deny access? Consider a situation in which a group name has already been established for 50 employees. If it were desired to exclude five of the individuals from that group, it would be easier for the access control administrator to simply grant access to that group and take it away from the five rather than grant access to 45 people. Or, consider the case of a complex application in whichmanygroupsofusersaredefined. Itmaybe desired, for some reason, to prohibit Ms. X from generating a particular report (perhaps she is under investigation). In a situation in which group names are used (and perhaps modified by others), this explicit denial may be a safety check to restrict Ms. Xs access - in case someone were to redefine a group (with access to the report generation function) to include Ms. X. She would still be denied access.
200
ExampleofElementaryACLforthefile"payroll"
Owner: PAYMANAGER
Access: Read, Write, Execute, Delete
Group: COMPENSATION-OFFICE Access: Read, Write, Execute, Delete 'World" Access: None
In addition to the privileges assigned to the owner, each resource is associated with a named groupofusers. Userswhoaremembersofthegroupcanbegrantedmodesofaccessdistinct from nonmembers, who belong to the rest of the "world" that includes all of the system's users. User groups may be arranged according to departments, projects, or other ways appropriate for theparticularorganization. Forexample,groupsmaybeestablishedformembersofthe Personnel and Accounting departments. The system administrator is normally responsible for technically maintaining and changing the membership of a group, based upon input from the owners/custodians of the particular resources to which the groups may be granted access.
As the name implies, however, the technology isnotparticularlyflexible. Itmaynotbe possible to explicitly deny access to an individual who is a member of the file's group. Also, it may not be possible for two groups to easily share information (without exposing it to the "world"), since the list is predefined to only include one group. If two groups wish to share information, an owner may make the file available to be read by "world." This may disclose information that should be restricted. Unfortunately, elementary ACLs have no mechanism to easily permit such sharing.
AdvancedACLs. LikeelementaryACLs, advanced ACLs provide a form of access controlbaseduponalogicalregistry. They do, however, provide finer precision in control.
Sinceonewouldpresumethatnoonewouldhave access without being granted access, why would it be desirable to explicitly deny access? Consider a situation in which a group name has already been established for 50 employees. If it were desired to exclude five of the individuals from that group, it would be easier for the access control administrator to simply grant access to that group and take it away from the five rather than grant access to 45 people. Or, consider the case of a complex application in whichmanygroupsofusersaredefined. Itmaybe desired, for some reason, to prohibit Ms. X from generating a particular report (perhaps she is under investigation). In a situation in which group names are used (and perhaps modified by others), this explicit denial may be a safety check to restrict Ms. Xs access - in case someone were to redefine a group (with access to the report generation function) to include Ms. X. She would still be denied access.
200
Advanced ACLs can be very useful in many complexinformationsharingsituations. They
provide a great deal of flexibility in
implementing system-specific policy and allow
for customization to meet the security
requirements of functional managers. Their flexibilityalsomakesthemmoreofa
implementing system-specific policy and allow
for customization to meet the security
requirements of functional managers. Their flexibilityalsomakesthemmoreofa
challenge to manage. The rules for
determining access in the face of apparently
conflicting ACL entries are not uniform across
all implementations and can be confusing to
securityadministrators. Whensuchsystems
are introduced, they should be coupled with training to ensure their correct use.
17.3.1.4 Constrained User Interfaces
Often used in conjunction with ACLs are constrained user interfaces, which restrict users' access to specific functions by never allowing them to request the use of information, functions, or other specific system resources for which they do not have access. Three major types exist: (1) menus, (2) database views, and (3) physically constrained user interfaces.
Constrained user interfaces can provide a form of access control that closely models howanorganizationoperates. Manysystems allow administrators to restrict users' ability to
usetheoperatingsystemorapplicationsystem HnaanHHBnHBHHanH^^^^^^ directly. Userscanonlyexecutecommands
that are provided by the administrator, typically in the form of a menu. Another means of restricting users is through restricted shells which limit the system commands the user can invoke. The use of menus and shells can often make the system easier to use and can help reduce errors.
Database views is a mechanism for restricting user access to data contained in a database. It may be necessary to allow a user to access a database, but that user may not need access to all the data in the database (e.g., not all fields of a record nor all records in the database). Views can be used to enforce complex access requirements that are often needed in database situations, such as those basedonthecontentofafield. Forexample,considerthesituationwhereclerksmaintain personnel records in a database. Clerks are assigned a range of clients based upon last name (e.g., A-C, D-G). Instead of granting a user access to all records, the view can grant the user access to the record based upon the first letter of the last name field.
Physicallyconstraineduserinterfacescanalsolimitauser'sabilities. Acommonexampleisan ATM machine, which provides only a limited number of physical buttons to select options; no
201 ExampleofAdvancedACLfo
paymgr:
}. Anderson: L. Carnahan: B. Guttman: E.Roback;
determining access in the face of apparently
conflicting ACL entries are not uniform across
all implementations and can be confusing to
securityadministrators. Whensuchsystems
are introduced, they should be coupled with training to ensure their correct use.
17.3.1.4 Constrained User Interfaces
Often used in conjunction with ACLs are constrained user interfaces, which restrict users' access to specific functions by never allowing them to request the use of information, functions, or other specific system resources for which they do not have access. Three major types exist: (1) menus, (2) database views, and (3) physically constrained user interfaces.
Constrained user interfaces can provide a form of access control that closely models howanorganizationoperates. Manysystems allow administrators to restrict users' ability to
usetheoperatingsystemorapplicationsystem HnaanHHBnHBHHanH^^^^^^ directly. Userscanonlyexecutecommands
that are provided by the administrator, typically in the form of a menu. Another means of restricting users is through restricted shells which limit the system commands the user can invoke. The use of menus and shells can often make the system easier to use and can help reduce errors.
Database views is a mechanism for restricting user access to data contained in a database. It may be necessary to allow a user to access a database, but that user may not need access to all the data in the database (e.g., not all fields of a record nor all records in the database). Views can be used to enforce complex access requirements that are often needed in database situations, such as those basedonthecontentofafield. Forexample,considerthesituationwhereclerksmaintain personnel records in a database. Clerks are assigned a range of clients based upon last name (e.g., A-C, D-G). Instead of granting a user access to all records, the view can grant the user access to the record based upon the first letter of the last name field.
Physicallyconstraineduserinterfacescanalsolimitauser'sabilities. Acommonexampleisan ATM machine, which provides only a limited number of physical buttons to select options; no
201 ExampleofAdvancedACLfo
paymgr:
}. Anderson: L. Carnahan: B. Guttman: E.Roback;
H.Smith:
PAY-OFFICE: R, -, -, world: -, -, -,
17. LogicalAccessControls
R, W, E, D R, W, E, -, -, -,
R, W, E, R, W,E, R, -, -,
^^^"^^^^^ll^^^^^"
Menu-driven systems are a common constrained user interface, where different users are provided different menus on the same system.
PAY-OFFICE: R, -, -, world: -, -, -,
17. LogicalAccessControls
R, W, E, D R, W, E, -, -, -,
R, W, E, R, W,E, R, -, -,
^^^"^^^^^ll^^^^^"
Menu-driven systems are a common constrained user interface, where different users are provided different menus on the same system.
IV. TechnicalControls
alphabetic keyboard is usually present. 17.3.1.5 Security Labels
alphabetic keyboard is usually present. 17.3.1.5 Security Labels
A security label is a designation assigned to a resource(suchasafile). Labelscanbeused for a
variety of purposes, including controlling access, specifying protective measures, or
indicatingadditionalhandlinginstructions. In many implementations, once this designator has
been set, it cannot be changed (except perhaps under carefully controlled conditions that are
subject to auditing).
Data Categorization
One tool that is used to increase the ease of security labelling is categorizing data by similar protection requirements. For example, a label could be developed for "organization proprietary data." This labelwouldmarkinformationthatcanbedisclosed only to the organization's employees. Another label, "public data" could be used to mark information that is available to anyone.
When used for access control, labels are also assigned to user sessions. Users are permitted to initiate sessions with specific labels only. For example, a file bearing the label "Organization Proprietary Information" would not be accessible (readable) except during user sessions with the correspondinglabel. Moreover,onlyarestrictedsetofuserswouldbeabletoinitiatesuch sessions. The labels of the session and those of the files accessed during the session are used, in turn, to label output from the session. This ensures that information is uniformly protected throughout its life on the system.
Labels are a very strong form of access
control; however, they are often inflexible and
canbeexpensivetoadminister. Unlike
permission bits or access control lists, labels
cannot ordinarily be changed. Since labels are
permanently linked to specific information,
data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. By removing users' ability to arbitrarily designate the accessibility of files they own, opportunities for certain kinds of human errors and malicious software problems are eliminated. In the example above, it would not be possibletocopyOrganizationProprietaryInformationintoafilewithadifferentlabel. This prevents inappropriate disclosure, but can interfere with legitimate extraction of some information.
Labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use.
For systems with stringent security requirements (such as those processing national security information), labels may be useful in access control.
HHHMMMHnHmnHanH 202
Data Categorization
One tool that is used to increase the ease of security labelling is categorizing data by similar protection requirements. For example, a label could be developed for "organization proprietary data." This labelwouldmarkinformationthatcanbedisclosed only to the organization's employees. Another label, "public data" could be used to mark information that is available to anyone.
When used for access control, labels are also assigned to user sessions. Users are permitted to initiate sessions with specific labels only. For example, a file bearing the label "Organization Proprietary Information" would not be accessible (readable) except during user sessions with the correspondinglabel. Moreover,onlyarestrictedsetofuserswouldbeabletoinitiatesuch sessions. The labels of the session and those of the files accessed during the session are used, in turn, to label output from the session. This ensures that information is uniformly protected throughout its life on the system.
Labels are a very strong form of access
control; however, they are often inflexible and
canbeexpensivetoadminister. Unlike
permission bits or access control lists, labels
cannot ordinarily be changed. Since labels are
permanently linked to specific information,
data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. By removing users' ability to arbitrarily designate the accessibility of files they own, opportunities for certain kinds of human errors and malicious software problems are eliminated. In the example above, it would not be possibletocopyOrganizationProprietaryInformationintoafilewithadifferentlabel. This prevents inappropriate disclosure, but can interfere with legitimate extraction of some information.
Labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use.
For systems with stringent security requirements (such as those processing national security information), labels may be useful in access control.
HHHMMMHnHmnHanH 202
17.3.2 External Access Controls
External access controls are a means of controlling interactions between the system and outside people, systems, and services. External access controls use a wide variety of methods, often including a separate physical device (e.g., a computer) that is between the
External access controls are a means of controlling interactions between the system and outside people, systems, and services. External access controls use a wide variety of methods, often including a separate physical device (e.g., a computer) that is between the
system being protected and a network.
17.3.2.1 Port Protection Devices
One of the most common PPDs is the dial-back modem. A typical dial-back modem sequence follows: a user calls the dial-back modem and enters a password. Themodemhangsupontheuserand performs a table lookup for the password provided, if the password is found, the modem places a return call to the user (at a previously specified number) to initiate the session. The return call itself also helps to protect against the use of lost or compromised accounts. This is, however, not always the case. Malicious hackers can use such advance functions as call forwarding to reroute calls.
Fitted to a communications port of a host
computer, a port protection device (PPD)
authorizes access to the port itself, prior to and independent of the computer's own access
control functions. A PPD can be a separate device in the communications stream, 120 or it may be incorporated into a communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a password, in order to access the communications port.
17.3.2.2 Secure Gateways/Firewalls
Often called firewalls, secure gateways block or filter access between two networks, often 121
between a private
malicious hackers. Secure gateways allow internal users to connect to external networks and at
122
Some secure gateways are set up to allow all traffic to pass through except for specific traffic which has known or suspected vulnerabilities or security problems, such as remote log-in services. Other secure gateways are set up to disallow all traffic except for specific types, such as e-mail. Some secure gateways can make access-control decisions based on the location of the requester. There are several technical approaches and mechanisms used to support secure gateways.
120
121
Privatenetworkissomewhatofamisnomer. Privatedoesnotmeanthattheorganization'snetworkistotally inaccessible to outsiders or prohibits use of the outside network from insiders (or the network would be disconnected). It also does not mean that all the information on the network requires confidentiality protection. It does mean that a network (or part of a network) is, in some way, separated from another network.
122
Questions frequently arise as to whether secure gateways help prevent the spread of viruses. In general, having a gateway scan transmitted files for viruses requires more system overhead than is practical, especially since the scanning
One of the most common PPDs is the dial-back modem. A typical dial-back modem sequence follows: a user calls the dial-back modem and enters a password. Themodemhangsupontheuserand performs a table lookup for the password provided, if the password is found, the modem places a return call to the user (at a previously specified number) to initiate the session. The return call itself also helps to protect against the use of lost or compromised accounts. This is, however, not always the case. Malicious hackers can use such advance functions as call forwarding to reroute calls.
Fitted to a communications port of a host
computer, a port protection device (PPD)
authorizes access to the port itself, prior to and independent of the computer's own access
control functions. A PPD can be a separate device in the communications stream, 120 or it may be incorporated into a communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a password, in order to access the communications port.
17.3.2.2 Secure Gateways/Firewalls
Often called firewalls, secure gateways block or filter access between two networks, often 121
between a private
malicious hackers. Secure gateways allow internal users to connect to external networks and at
122
Some secure gateways are set up to allow all traffic to pass through except for specific traffic which has known or suspected vulnerabilities or security problems, such as remote log-in services. Other secure gateways are set up to disallow all traffic except for specific types, such as e-mail. Some secure gateways can make access-control decisions based on the location of the requester. There are several technical approaches and mechanisms used to support secure gateways.
120
121
Privatenetworkissomewhatofamisnomer. Privatedoesnotmeanthattheorganization'snetworkistotally inaccessible to outsiders or prohibits use of the outside network from insiders (or the network would be disconnected). It also does not mean that all the information on the network requires confidentiality protection. It does mean that a network (or part of a network) is, in some way, separated from another network.
122
Questions frequently arise as to whether secure gateways help prevent the spread of viruses. In general, having a gateway scan transmitted files for viruses requires more system overhead than is practical, especially since the scanning
would have to handle many different file formats. However, secure gateways may reduce the spread of network
worms.
network and a larger, more public network such as the Internet, which attract
the same time prevent malicious hackers from compromising the internal systems. Typically PPDs are found only in serial communications streams.
203
17. LogicalAccessControls
network and a larger, more public network such as the Internet, which attract
the same time prevent malicious hackers from compromising the internal systems. Typically PPDs are found only in serial communications streams.
203
17. LogicalAccessControls
IV. TechnicalControls
Because gateways provide security by restricting services or traffic, they can affect a system's usage. For this reason, firewall experts always emphasize the need for policy, so that appropriate officials decide how the organization will balance operational needs and security.
Because gateways provide security by restricting services or traffic, they can affect a system's usage. For this reason, firewall experts always emphasize the need for policy, so that appropriate officials decide how the organization will balance operational needs and security.
Types of Secure Gateways
Therearemanytypesofsecuregateways. Someof the most common are packet filtering (or screening) routers, proxy
hosts, bastion hosts, dual-homed gateways, and screened-host gateways.
In addition to reducing the risks from malicioushackers,securegatewayshaveseveralotherbenefits. Theycanreduceinternalsystem security overhead, since they allow an organization to concentrate security efforts on a limited number of machines. (This is similar to putting a guard on the first floor of a building instead of needing a guard on every floor.)
Asecondbenefitisthecentralizationofservices. Asecuregatewaycanbeusedtoprovidea central management point for various services, such as advanced authentication (discussed in Chapter 16), e-mail, or public dissemination of information. Having a central management point can reduce system overhead and improve service.
17.3.2.3 Host-Based Authentication
Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user makingtherequest. Manynetwork
applications in use today use host-based
authentication to determine whether access is
allowed. Undercertaincircumstancesit is
fairly easy to masquerade as the legitimate host, especially if the masquerading host is physically located close to the host being impersonated. Security measures to protect against
misuse of some host-based authentication systems are available (e.g., Secure RPC123 uses DES to provide a more secure identification of the client host).
17.4 Administration of Access Controls
One of the most complex and challenging aspects of access control, administration involves implementing, monitoring, modifying, testing, and terminating user accesses on the system. These can be demanding tasks, even though they typically do not include making the actual decisions as
123
RPC, or Remote Procedure Call, is the service used to implement NFS.
An example of host-based authentication is the Network File System (NFS) which allows a server to make file systems/directories available to specific machines.
iiiliiilililiiiiiiiiliB^ 204
In addition to reducing the risks from malicioushackers,securegatewayshaveseveralotherbenefits. Theycanreduceinternalsystem security overhead, since they allow an organization to concentrate security efforts on a limited number of machines. (This is similar to putting a guard on the first floor of a building instead of needing a guard on every floor.)
Asecondbenefitisthecentralizationofservices. Asecuregatewaycanbeusedtoprovidea central management point for various services, such as advanced authentication (discussed in Chapter 16), e-mail, or public dissemination of information. Having a central management point can reduce system overhead and improve service.
17.3.2.3 Host-Based Authentication
Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user makingtherequest. Manynetwork
applications in use today use host-based
authentication to determine whether access is
allowed. Undercertaincircumstancesit is
fairly easy to masquerade as the legitimate host, especially if the masquerading host is physically located close to the host being impersonated. Security measures to protect against
misuse of some host-based authentication systems are available (e.g., Secure RPC123 uses DES to provide a more secure identification of the client host).
17.4 Administration of Access Controls
One of the most complex and challenging aspects of access control, administration involves implementing, monitoring, modifying, testing, and terminating user accesses on the system. These can be demanding tasks, even though they typically do not include making the actual decisions as
123
RPC, or Remote Procedure Call, is the service used to implement NFS.
An example of host-based authentication is the Network File System (NFS) which allows a server to make file systems/directories available to specific machines.
iiiliiilililiiiiiiiiliB^ 204
124
to the type of access each user may have. know" determinations, and many other factors.
There are three basic approaches to administering access controls: centralized, decentralized, or a combination of these.
to the type of access each user may have. know" determinations, and many other factors.
There are three basic approaches to administering access controls: centralized, decentralized, or a combination of these.
Each has relative advantages and disadvantages. Which is most appropriate in a given situation
will depend upon the particular organization and its circumstances.
17.4.1 Centralized Administration
Using centralized administration, one office or individual is responsible for configuring access controls. Asusers'informationprocessing
needs change, their accesses can be modified only through the central office, usually after requests have been approved by the appropriateofficial. Thisallowsverystrict
control over information, because the ability
to make changes resides with very few
individuals. Eachuser'saccountcanbe
centrally monitored, and closing all accesses
for any user can be easily accomplished if that
individual leaves the organization. Since
relatively few individuals oversee the process,
consistent and uniform procedures and criteria are usually not difficult to enforce. However, when changes are needed quickly, going through a central administration office can be frustrating and time-consuming.
17.4.2 Decentralized Administration
In decentralized administration, access is directly controlled by the owners or creators of the files, often the functional manager. This keeps control in the hands of those most accountable for the information, most familiar with it and its uses, and best able to judge who needs what kind of
124
As discussed in the policy section earlier in this chapter, those decisions are usually the responsibility of the applicableapplicationmanagerorcognizantmanagementofficial. Seealsothediscussionofsystem-specificpolicyin Chapters 5 and 10.
Decisions regarding accesses should be guided by organizational policy, employee job descriptions and tasks, information sensitivity, user "need-to-
205
17. LogicalAccessControls System and Security Administration
The administration of systems and security requires access to advanced functions (such as setting up a useraccount). Theindividualswhotechnicallysetup and modify who has access to what are very powerful users on the system; (hey are often called system or securityadministrators. Onsomesystems,theseusers are referred to as having privileged accounts.
17.4.1 Centralized Administration
Using centralized administration, one office or individual is responsible for configuring access controls. Asusers'informationprocessing
needs change, their accesses can be modified only through the central office, usually after requests have been approved by the appropriateofficial. Thisallowsverystrict
control over information, because the ability
to make changes resides with very few
individuals. Eachuser'saccountcanbe
centrally monitored, and closing all accesses
for any user can be easily accomplished if that
individual leaves the organization. Since
relatively few individuals oversee the process,
consistent and uniform procedures and criteria are usually not difficult to enforce. However, when changes are needed quickly, going through a central administration office can be frustrating and time-consuming.
17.4.2 Decentralized Administration
In decentralized administration, access is directly controlled by the owners or creators of the files, often the functional manager. This keeps control in the hands of those most accountable for the information, most familiar with it and its uses, and best able to judge who needs what kind of
124
As discussed in the policy section earlier in this chapter, those decisions are usually the responsibility of the applicableapplicationmanagerorcognizantmanagementofficial. Seealsothediscussionofsystem-specificpolicyin Chapters 5 and 10.
Decisions regarding accesses should be guided by organizational policy, employee job descriptions and tasks, information sensitivity, user "need-to-
205
17. LogicalAccessControls System and Security Administration
The administration of systems and security requires access to advanced functions (such as setting up a useraccount). Theindividualswhotechnicallysetup and modify who has access to what are very powerful users on the system; (hey are often called system or securityadministrators. Onsomesystems,theseusers are referred to as having privileged accounts.
The type of access of these accounts varies considerably. Someadministratorprivileges,for example, may allow an
individual to administer only one application or subsystem, while a higher level of privileges may allow for
oversight and establishment of subsystem administrators.
Normally, users who are security administrators have twoaccounts:oneforregularuseandoneforsecurity use. Thiscanhelpprotectthesecurityaccountfrom compromise. Furthermore, additional I&A precautions, such as ensuring that administrator passwords are robust and changed regularly, are important to minimize opportunities for unauthorized individuals to gain access to these functions.
Normally, users who are security administrators have twoaccounts:oneforregularuseandoneforsecurity use. Thiscanhelpprotectthesecurityaccountfrom compromise. Furthermore, additional I&A precautions, such as ensuring that administrator passwords are robust and changed regularly, are important to minimize opportunities for unauthorized individuals to gain access to these functions.
IV. TechnicalControls
access. This may lead, however, to a lack of consistency among owners/creators as to procedures andcriteriaforgrantinguseraccessesandcapabilities. Also,whenrequestsarenotprocessed centrally, it may be much more difficult to form a systemwide composite view of all user
access. This may lead, however, to a lack of consistency among owners/creators as to procedures andcriteriaforgrantinguseraccessesandcapabilities. Also,whenrequestsarenotprocessed centrally, it may be much more difficult to form a systemwide composite view of all user
accesses onthesystematanygiventime. Differentapplicationordataownersmayinadvertently
implement combinations of accesses that introduce conflicts of interest or that are in some
other
125
It may also be difficult to ensure that all accesses are properly terminated when an employee transfers internally or leaves an organization.
17.4.3 Hybrid Approach
Ahybridapproachcombinescentralizedanddecentralizedadministration. Onetypical arrangement is that central administration is responsible for the broadest and most basic accesses, and the owners/creators of files control types of accesses or changes in users' abilities for the files under their control. The main disadvantage to a hybrid approach is adequately defining which accesses should be assignable locally and which should be assignable centrally.
17.5 Coordinating Access Controls
way not in the organization's best interest.
It is vital that access controls protecting a system work together. At a minimum, three basic types of access controls should be considered: physical, operating system, and application. In general, accesscontrolswithinanapplicationarethemostspecific. However,forapplicationaccess controls to be fully effective they need to be supported by operating system access controls. Otherwise access can be made to application resources without going through the application. Operating system and application access controls need to be supported by physical access controls.
17.6 Interdependences
Logicalaccesscontrolsarecloselyrelatedtomanyothercontrols. Severalofthemhavebeen discussed in the chapter.
PolicyandPersonnel. Themostfundamentalinterdependencesoflogicalaccesscontrolarewith policy and personnel. Logical access controls are the technical implementation of system-specific and organizational policy, which stipulates who should be able to access what kinds of information, applications, and functions. These decisions are normally based on the principles of
125
126 For example, logical access controls within an application block User A from viewing File F. However, if operating systems access controls do not also block User A from viewing File F, User A can use a utility program (or another application) to view the file.
Without necessary review mechanisms, central administration does not a priori preclude this. 206
125
It may also be difficult to ensure that all accesses are properly terminated when an employee transfers internally or leaves an organization.
17.4.3 Hybrid Approach
Ahybridapproachcombinescentralizedanddecentralizedadministration. Onetypical arrangement is that central administration is responsible for the broadest and most basic accesses, and the owners/creators of files control types of accesses or changes in users' abilities for the files under their control. The main disadvantage to a hybrid approach is adequately defining which accesses should be assignable locally and which should be assignable centrally.
17.5 Coordinating Access Controls
way not in the organization's best interest.
It is vital that access controls protecting a system work together. At a minimum, three basic types of access controls should be considered: physical, operating system, and application. In general, accesscontrolswithinanapplicationarethemostspecific. However,forapplicationaccess controls to be fully effective they need to be supported by operating system access controls. Otherwise access can be made to application resources without going through the application. Operating system and application access controls need to be supported by physical access controls.
17.6 Interdependences
Logicalaccesscontrolsarecloselyrelatedtomanyothercontrols. Severalofthemhavebeen discussed in the chapter.
PolicyandPersonnel. Themostfundamentalinterdependencesoflogicalaccesscontrolarewith policy and personnel. Logical access controls are the technical implementation of system-specific and organizational policy, which stipulates who should be able to access what kinds of information, applications, and functions. These decisions are normally based on the principles of
125
126 For example, logical access controls within an application block User A from viewing File F. However, if operating systems access controls do not also block User A from viewing File F, User A can use a utility program (or another application) to view the file.
Without necessary review mechanisms, central administration does not a priori preclude this. 206
126
separation of duties and least privilege.
AuditTrails. Asdiscussedearlier,logicalaccesscontrolscanbedifficulttoimplementcorrectly. Also, it is sometimes not possible to make logical access control as precise, or fine-grained, as would
AuditTrails. Asdiscussedearlier,logicalaccesscontrolscanbedifficulttoimplementcorrectly. Also, it is sometimes not possible to make logical access control as precise, or fine-grained, as would
be ideal for an organization. In such situations, users may either deliberately or inadvertently
abuse their access. For example, access controls cannot prevent a user from modifying data
the user is authorized to modify, even if the modification is incorrect. Auditing provides a way
to identify abuse of access permissions. It also provides a means to review the actions of
system or security administrators.
Identification and Authentication. In most logical access control scenarios, the identity of the user must be established before an access control decision can be made. The access control processthenassociatesthepermissibleformsofaccesseswiththatidentity. Thismeansthat access control can only be as effective as the I&A process employed for the system.
PhysicalAccessControl. Mostsystemscanbecompromisedifsomeonecanphysicallyaccessthe machine (i.e., CPU or other major components) by, for example, restarting the system with
different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key).
17.7 Cost Considerations
Incorporating logical access controls into a computer system involves the purchase or use of access control mechanisms, their implementation, and changes in user behavior.
Direct Costs. Among the direct costs associated with the use of logical access controls are the purchase and support of hardware, operating systems, and applications that provide the controls, and any add-on security packages. The most significant personnel cost in relation to logical access control is usually for administration (e.g., initially determining, assigning, and keeping access rights up to date). Label-based access control is available in a limited number of commercialproducts,butatgreatercostandwithlessvarietyofselection. Role-basedsystems are becoming more available, but there are significant costs involved in customizing these systems for a particular organization. Training users to understand and use an access control system is another necessary cost.
Indirect Costs. The primary indirect cost associated with introducing logical access controls into a computer system is the effect on user productivity. There may be additional overhead involved in having individual users properly determine (when under their control) the protection attributes of information. Another indirect cost that may arise results from users not being able to immediately access information necessary to accomplish their jobs because the permissions were
207
17. LogicalAccessControls
Identification and Authentication. In most logical access control scenarios, the identity of the user must be established before an access control decision can be made. The access control processthenassociatesthepermissibleformsofaccesseswiththatidentity. Thismeansthat access control can only be as effective as the I&A process employed for the system.
PhysicalAccessControl. Mostsystemscanbecompromisedifsomeonecanphysicallyaccessthe machine (i.e., CPU or other major components) by, for example, restarting the system with
different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key).
17.7 Cost Considerations
Incorporating logical access controls into a computer system involves the purchase or use of access control mechanisms, their implementation, and changes in user behavior.
Direct Costs. Among the direct costs associated with the use of logical access controls are the purchase and support of hardware, operating systems, and applications that provide the controls, and any add-on security packages. The most significant personnel cost in relation to logical access control is usually for administration (e.g., initially determining, assigning, and keeping access rights up to date). Label-based access control is available in a limited number of commercialproducts,butatgreatercostandwithlessvarietyofselection. Role-basedsystems are becoming more available, but there are significant costs involved in customizing these systems for a particular organization. Training users to understand and use an access control system is another necessary cost.
Indirect Costs. The primary indirect cost associated with introducing logical access controls into a computer system is the effect on user productivity. There may be additional overhead involved in having individual users properly determine (when under their control) the protection attributes of information. Another indirect cost that may arise results from users not being able to immediately access information necessary to accomplish their jobs because the permissions were
207
17. LogicalAccessControls
IV. TechnicalControls
incorrectly assigned (or have changed). This situation is familiar to most organizations that put strong emphasis on logical access controls.
incorrectly assigned (or have changed). This situation is familiar to most organizations that put strong emphasis on logical access controls.
References
Abrams, M.D., et al. A Generalized Framework for Access Control: An Informal
Description. McLean, VA: Mitre Corporation, 1990.
Baldwin, R.W. "Naming and Grouping Privileges to Simplify Security Management in Large Databases." 1990 IEEE Symposium on Security and Privacy Proceedings. Oakland, CA: IEEE Computer Society Press, May 1990. pp. 116-132.
Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York, NY: Stockton Press, 1991.
Cheswick, William, and Steven Bellovin. Firewalls and Internet Security. Reading, MA: Addison- Wesley Publishing Company, 1994.
Curry, D. Improving the Security of Your UNIX System, ITSTD-721-FR-90-21. Menlo Park, CA: SRI International, 1990.
Dinkel, Charles. Secure Data Network System Access Control Documents. NISTIR 90- 4259. Gaithersburg, MD: National Institute of Standards and Technology, 1990.
Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993. Especially Chapters 1, 9, and 12.
Garfinkel, S., and Spafford, G. "UNIX Security Checklist." Practical UNIX Security. Sebastopol, CA: O'Riley & Associates. Inc., 1991. pp. 401-413.
Gasser, Morrie. Building a Secure Computer System. New York, NY: Van Nostrand Reinhold, 1988.
Haykin, M., and R. Warner. Smart Card Technology: New Methods for Computer Access Control. Spec Pub 500-157. Gaithersburg, MD: National Institute of Standards and Technology, 1988.
Landwehr, C, C. Heitmeyer, and J. McLean. "A Security Model for Military Message Systems." ACM Transactions on Computer Systems, Vol. 2, No. 3, August 1984.
National Bureau of Standards. Guidelines for Security of Computer Applications. Federal 208
Baldwin, R.W. "Naming and Grouping Privileges to Simplify Security Management in Large Databases." 1990 IEEE Symposium on Security and Privacy Proceedings. Oakland, CA: IEEE Computer Society Press, May 1990. pp. 116-132.
Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York, NY: Stockton Press, 1991.
Cheswick, William, and Steven Bellovin. Firewalls and Internet Security. Reading, MA: Addison- Wesley Publishing Company, 1994.
Curry, D. Improving the Security of Your UNIX System, ITSTD-721-FR-90-21. Menlo Park, CA: SRI International, 1990.
Dinkel, Charles. Secure Data Network System Access Control Documents. NISTIR 90- 4259. Gaithersburg, MD: National Institute of Standards and Technology, 1990.
Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993. Especially Chapters 1, 9, and 12.
Garfinkel, S., and Spafford, G. "UNIX Security Checklist." Practical UNIX Security. Sebastopol, CA: O'Riley & Associates. Inc., 1991. pp. 401-413.
Gasser, Morrie. Building a Secure Computer System. New York, NY: Van Nostrand Reinhold, 1988.
Haykin, M., and R. Warner. Smart Card Technology: New Methods for Computer Access Control. Spec Pub 500-157. Gaithersburg, MD: National Institute of Standards and Technology, 1988.
Landwehr, C, C. Heitmeyer, and J. McLean. "A Security Model for Military Message Systems." ACM Transactions on Computer Systems, Vol. 2, No. 3, August 1984.
National Bureau of Standards. Guidelines for Security of Computer Applications. Federal 208
Information security for non-
technical managers
Dr Eduardo Gelbstein
Dr Eduardo Gelbstein
Download free books at
Dr. Eduardo Gelbstein
Information security for non-technical managers
Information security for non-technical managers
Download free eBooks at bookboon.com
2
Information security for non-technical managers 1st edition
© 2013 Dr. Eduardo Gelbstein & bookboon.com ISBN 978-87-403-0488-6
Download free eBooks at bookboon.com
3
Information security for non-technical managers Contents
Contents
About the author 8
Introduction 10
1 Information security in context 12
1.1 A short history of information technologies and their side effects 12
1.2 Why information security is increasingly important
1.3 Ubiquity and irreversible dependencies
2 Lessons identified in the last ten years
© 2013 Dr. Eduardo Gelbstein & bookboon.com ISBN 978-87-403-0488-6
Download free eBooks at bookboon.com
3
Information security for non-technical managers Contents
Contents
About the author 8
Introduction 10
1 Information security in context 12
1.1 A short history of information technologies and their side effects 12
1.2 Why information security is increasingly important
1.3 Ubiquity and irreversible dependencies
2 Lessons identified in the last ten years
2.1
2.2
2.3
but
2.4
2.5
2.6
14 15
16
16 18 21 22
14 15
16
16 18 21 22
The semantics of information security
The major target areas in information insecurity
What needs to be done to strengthen security is well known
not done well enough
Certifications
Asymmetries and consequences Maintaining security is everybody’s job
23 24
The major target areas in information insecurity
What needs to be done to strengthen security is well known
not done well enough
Certifications
Asymmetries and consequences Maintaining security is everybody’s job
23 24
ENGINEERING, RESEARCH AND OPERATIONS
85
Who are we?
We are the world’s largest oilfield services company. Working globally— often in remote and challenging locations—we invent, design, engineer, and apply technology
to help our customers find and produce oil and gas safely.
years of innovation
Who are we looking for?
We’re looking for high-energy, self- motivated graduates with vision to work in our engineering, research and operations domain.
What will you be?
>120,000 employees >140 nationalities ~85 countries of operation
careers.slb.com Copyright © 2013 Schlumberger. All rights reserved.
Who are we?
We are the world’s largest oilfield services company. Working globally— often in remote and challenging locations—we invent, design, engineer, and apply technology
to help our customers find and produce oil and gas safely.
years of innovation
Who are we looking for?
We’re looking for high-energy, self- motivated graduates with vision to work in our engineering, research and operations domain.
What will you be?
>120,000 employees >140 nationalities ~85 countries of operation
careers.slb.com Copyright © 2013 Schlumberger. All rights reserved.
Download free eBooks at bookboon.com
4
Click on the ad to read more
6x 4
jcs 5.4
Information security for non-technical managers Contents
4
Click on the ad to read more
6x 4
jcs 5.4
Information security for non-technical managers Contents
3 Defining information security
3.1 What is meant by “Information Security”
3.2 Differences between Enterprise security, Information security and Information Technology security
4 Managing information security in the enterprise
4.1 Information Security Governance
4.2 The components of information security governance
4.3 Managing for security
4.4 What makes a good Chief Information Security Officer (CISO) 4.5 Your role as a manager
26
26
27
31
32 33 35 39 40 42
42
43
5 The four domains of vulnerabilities 5.1 Governance vulnerabilities NY028099B
1
2014 JEGREENE
TMP PRODUCTION
5.2 People vulnerabilities
ACCCTR000
5.3 Process vulnerabilities
45 bookboon48
3.2 Differences between Enterprise security, Information security and Information Technology security
4 Managing information security in the enterprise
4.1 Information Security Governance
4.2 The components of information security governance
4.3 Managing for security
4.4 What makes a good Chief Information Security Officer (CISO) 4.5 Your role as a manager
26
26
27
31
32 33 35 39 40 42
42
43
5 The four domains of vulnerabilities 5.1 Governance vulnerabilities NY028099B
1
2014 JEGREENE
TMP PRODUCTION
5.2 People vulnerabilities
ACCCTR000
5.3 Process vulnerabilities
45 bookboon48
Technology vulnerabilities
Bring your talent and passion to a global organization at the forefront of business, technology and innovation.
Discover how great you can be.
Visit accenture.com/bookboon
Download free eBooks at bookboon.com
5
Click on the ad to read more
5
©2014 Accenture. All rights rserved.
Information security for non-technical managers Contents
6 Other drivers of information insecurity 51
6.1 Causes for concern 51
6.2 External factors: the constantly changing landscape 55
Visit accenture.com/bookboon
Download free eBooks at bookboon.com
5
Click on the ad to read more
5
©2014 Accenture. All rights rserved.
Information security for non-technical managers Contents
6 Other drivers of information insecurity 51
6.1 Causes for concern 51
6.2 External factors: the constantly changing landscape 55
6.3 Information security should not inhibit innovative thinking 56
7 Measuring security
7.1 Measuring Information Security
7.2 Reporting information security metrics
8 Other information security topics
8.1 Business Impact Analysis (BIA) 8.2 Information Risk Management 8.3 Planning for survival
8.4 The legislative landscape
57
57 61
63
63 65 69 70
Find and follow us: http://twitter.com/bioradlscareers www.linkedin.com/groupsDirectory, search for Bio-Rad Life Sciences Careers http://bio- radlifesciencescareersblog.blogspot.com
John Randall, PhD
Senior Marketing Manager, Bio-Plex Business Unit
Bio-Rad is a longtime leader in the life science research industry and has been voted one of the Best Places to Work by our employees in the San Francisco Bay Area. Bring out your best in one of our many positions in research and development, sales, marketing, operations, and software development. Opportunities await — share your passion at Bio-Rad!
www.bio-rad.com/careers
7.1 Measuring Information Security
7.2 Reporting information security metrics
8 Other information security topics
8.1 Business Impact Analysis (BIA) 8.2 Information Risk Management 8.3 Planning for survival
8.4 The legislative landscape
57
57 61
63
63 65 69 70
Find and follow us: http://twitter.com/bioradlscareers www.linkedin.com/groupsDirectory, search for Bio-Rad Life Sciences Careers http://bio- radlifesciencescareersblog.blogspot.com
John Randall, PhD
Senior Marketing Manager, Bio-Plex Business Unit
Bio-Rad is a longtime leader in the life science research industry and has been voted one of the Best Places to Work by our employees in the San Francisco Bay Area. Bring out your best in one of our many positions in research and development, sales, marketing, operations, and software development. Opportunities await — share your passion at Bio-Rad!
www.bio-rad.com/careers
Download free eBooks at bookboon.com
6
Click on the ad to read more
Information security for non-technical managers Contents
9 Conclusions
10 References
10.1 Downloadable free of charge: 10.2 Material requiring purchase 10.3 Topics not covered in this book 11 Appendix: Acknowledgements 12 Endnotes
71
72
72 73 73 74 75
6
Click on the ad to read more
Information security for non-technical managers Contents
9 Conclusions
10 References
10.1 Downloadable free of charge: 10.2 Material requiring purchase 10.3 Topics not covered in this book 11 Appendix: Acknowledgements 12 Endnotes
71
72
72 73 73 74 75
678'< )25 <285 0="" span="">
&KDOPHUV 8QLYHUVLW\ RI 7HFKQRORJ\ FRQGXFWV UHVHDUFK DQG H GXFDWLRQ LQ HQJLQHHU LQJ DQG QDWXUDO VFLHQFHV DUFKLWHFWXUH WHFKQRORJ\ UHODWHG PDWKHPDWLFDO VFLHQFHV DQG QDXWLFDO VFLHQFHV %HKLQG DOO WKDW &KDOPHUV DFFRPSOLVKHV WKH DLP SHUVLVWV IRU FRQWULEXWLQJ WR D VXVWDLQDEOH IXWXUH ¤ ERWK QDWLRQDOO\ DQG JOREDOO\
&KDOPHUV 8QLYHUVLW\ RI 7HFKQRORJ\ FRQGXFWV UHVHDUFK DQG H GXFDWLRQ LQ HQJLQHHU LQJ DQG QDWXUDO VFLHQFHV DUFKLWHFWXUH WHFKQRORJ\ UHODWHG PDWKHPDWLFDO VFLHQFHV DQG QDXWLFDO VFLHQFHV %HKLQG DOO WKDW &KDOPHUV DFFRPSOLVKHV WKH DLP SHUVLVWV IRU FRQWULEXWLQJ WR D VXVWDLQDEOH IXWXUH ¤ ERWK QDWLRQDOO\ DQG JOREDOO\
9LVLW XV RQ &KDOPHUV VH RU 1H[W 6WRS &KDOPHUV RQ IDFHERR
N
Download free eBooks at bookboon.com
7
Click on the ad to read more
Information security for non-technical managers About the author
7
Click on the ad to read more
Information security for non-technical managers About the author
No comments:
Post a Comment