Information Security Program Development - Bruce C. Gabrielson, PhDInitial version first published and presented: INFOSEC Engineering, AFCEA Educational Foundation, September, 1994Information Security Program DevelopmentBruce C. Gabrielson, PhDSAICCenter for Information Security TechnologyColumbia, MarylandIntroductionFormal adherence to detailed security standards for electronic information processing systems is necessary for industryand government survival. Security standards are needed by organizations because of the amount of information, thevalue of the information, and ease with which the information can be manipulated or moved. While information securityprograms are sometimes implemented following an actual loss or incident, prudent business organizations address security early in their corporate life. For most business enterprises, the concern for physical security is best understood and, as a result, addressed first. However, information security puts the emphasis on protecting the information stored in or processed by the systemrather than focusing on simply protecting equipment[1]. Therefore, if the enterprise depends on data processing, a com-prehensive information security program covering computing issues will soon follow.Corporate ObjectivesEnsuring for its survival and profitability is the fundamental driving objective of the corporation. In the modern businessenvironment, profitability and survivability depend on information.. Regardless of the enterprise's business, all of thecorporate data resident on the enterprise's computer systems is both valuable and vulnerable."The threat extends beyond the physical boundaries of the enterprise"Because today's business enterprise has extensive electronic communication pathways (computer networks, andtelephone systems for example) extending well beyond the physical bounds of the business operation, internalvulnerabilities may be exploited by external threats as well as internal. The consequences can be loss or modificationof critical business data, disruption of services, compromise of proprietary business plans or processes. A high schoolstudent, working from his bedroom can easily erase all of a company's billing records and halt cash flow for weeks ormonths. Even well-protected businesses (as well as government organizations) may be vulnerable to attacks on corporateweb pages. There are trivial attacks that will give access to the source of a corporate web page to any intruder. Whileof no intrinsic value, the loss that may occur if the home page is converted to a competitor's, or modified to includeobscene or offensive pictures and text might be incalculable. "Basic security conflict: Cost vs. Benefit"In today's corporate environment there often exists a conflict between security objectives and operational requirements.Marketing, finance, engineering, and management all produce and use data that are critical to that organization's businessactivities. In addition, within government or the defense industry, some of this data could be considered classified (i.e.,SECRET, TOP SECRET, etc.) or unclassified-but-sensitive, requiring even stricter controls for its protection. Therefore,despite the pressure to overlook security needs, successful and responsible organizations will have a written securitypolicy and formal security plans and procedures in place to guide their employees, as well as their business, in protectingtheir computing assets.It is very important that management is able to quantify the benefits of a security program as a function of costs. Thesebenefit:cost tradeoffs are essential if one is to be able justify a security program. In order to formalize this analysisprocess, certain concepts must be considered:A business risk is anything that could potentially harm the operation, assets, or profitability of the organization. Risk analysis is a formal process of determining what your computing assets are worth, identifying vulnerabilitiesby discovering where threats/exposures could occur, and then determining how much potential harm could be causedif the identified vulnerabilities were exploited. For each vulnerability identified, the risk analysis produces a cost-benefit analysis to determine if the cost toimplement fixes or increase protection is justified by the cost of the asset's loss. Thus, the security policy and risk go hand in hand: policy is needed to reduce risk, and the risk analysis is used to justifya security policy. Responsibilities of Management and EmployeesIf both management and employees understand their respective responsibilities for protecting computer data, it followsthat they must also recognize the problems they face in developing and implementing a security program."Management's role"Management has the ultimate responsibility for implementing a data security program based on an assessment of businessrisk (corporate cost/benefit tradeoff) and an information system (IS) security risk assessment. All levels of managementmust be involved (and held accountable) to insure the program is understood and properly implemented. Managementmust understand that they are legally responsible for the integrity of corporate data assets just as they are with other assetsof the corporation."Employee's role"Employees must recognize that the corporate data on their computers is both valuable and vulnerable. They mustunderstand their legal responsibilities regarding the unauthorized release of sensitive data. Note that sensitive data meansdata that requires protection due to the risk and magnitude of loss or harm that could result from its unavailability,disclosure, alteration, or destruction. The means of ensuring employee understanding and/or recognition of their responsibilities varies. User/employeesecurity awareness training is one of the most common means available to achieve recognition of responsibility andcomputing asset worth. Some organizations require personnel to sign an agreement that includes the protection ofcomputing assets as a condition of employment, while others sign agreements as a condition of allowing their connectionto the organizations network. Another recognition means often implemented is the use of security login banners, whichare displayed whenever a user logs onto the corporate network. "Everyone in the corporation has an important security role"The following table summarizes the related responsibilities for various management levels within a typical corporation:1. Chairman of the Board To protect and insure for continuity of the corporation2. President To protect and insure for profitability of the corporation3. Managers To maintain information as a strategic asset of the corporation4. IS Security Manager To insure written security policies are developed, implemented and followed5. Users Ultimate responsibility for accidental or intentional destruction or disclosureNotice in the above list that operational IS security is not a direct concern of upper management, but the protection ofinformation assets certainly is. Also notice that the IS Security Manager is the key to development and enforcement ofa comprehensive security policy. Without this individual physically inserted into the management process, a securityprogram will not be implemented or enforceable, and upper management will not be able to provide for the protectionof its information assets.Recognizing the Scope: Enterprise-wide SecurityIS vulnerabilities in general, relate to the weak points of the tangible computing assets in the corporation, and howexposed these assets might be to exploitation. These vulnerabilities can vary greatly depending on the network or stand-alone environment used by the corporation. Obviously, the weakest link in the security chain is also the most vulnerablepoint. Since the three basic goals of computer security are ensuring secrecy, integrity, and availability of data,vulnerabilities of a computer oriented business can include just about everything related to the business operation. Typical assets are hardware, software, data files, support documentation, people, and outside communications."Positively motivate the employees"Employee motivation is a key feature of computer security. The disgruntled employee who imports or develops a virusgenerally does so for revenge. He wishes to "get back at management" for that tiny raise, or the overlooked promotion.Crackers who break into protected networks or sensitive files are motivated by peer pressure or simply entertainment.Industrial spies could be driven by political or financial reasons. Regardless of motivation, the personal perspective ofindividuals who have access to corporate computing assets is of critical importance. Ultimately, the employees must bemotivated to recognize the need to protect company information and to report attempts by outsiders to obtain access tothat information.Those individuals who have access to corporate computing assets are those who have the opportunity to create problems.This opportunity not only relates to employees, but also to those who are external to the corporation but might gainaccess based on weak network protection techniques. Opportunity, or more correctly access control, is therefore thefoundation of security for information systemsFour Basic Security ThreatsIn general, there are four kinds of computer security threats: interruption, interception, modification and fabrication.Interruptions include any delay or disruption of normal business operations. Computer down time causedby viruses and their removal is a very common problem today. Even just a few minutes for each employee can add upto many lost productive staff hours or staff days. Interceptions are any unauthorized access to information, which may or may not result in the illicit use ofdata. Browsing through stored files and monitoring network or telephone transfers are considered access. There arehundreds of methods to remotely gain unauthorized access to computer systems over a network. If the network is thepublic Internet, then virtually anyone in the world can get access. In private networks, one still must be aware of theinsider; most incidents of computer fraud involve insiders to the corporation. Networks and telephone systems are easilytapped, which provides access to much crucial data or the knowledge needed to obtain direct access to the enterprise'scomputer systemsModification includes tampering with information once access has been achieved by changing software orhardware controls or the data itself. Think of the consequences if an intruder changed the amounts owed to yourcompany by outside vendors. All of your billings will be incorrect and the cash flow totally disrupted.Fabrication means fraud and counterfeiting. It is modification in a way to benefit the intruder or to causeproblems for the corporation. It can involve skillfully adding data or objects to the computing system such astransactions or additional files on a database. An example of data tampering is accessing a university data base to changethe grade received in a class. Or planting compromising email messages that could benefit a sexual harassment lawsuit.Security Policy ObjectivesA comprehensive data security program will involve both people and information.. The typical activities included in sucha program are: 1. Prevention 2. Protection 3. Detection/Investigation 4. Damage Assessment 5. RecoverySecurity Policy StatementThe policy objectives are set forth in the security policy statement, which is the cornerstone of any effective program formanaging and controlling an organization's information assets[2]. Policies are the high level guidance or vision directingthe organization. The statement establishes the basic philosophy of the organization and determines the functional areaswhere controls must be established. Implemented by management to provide information, control and direction, the ISSecurity Policy is used to support the development of the subsequent security program. According to Peltier2, a goodInfosecurity program policy statement must do a number of things: 1. Identify information assets. 2. Define who is responsible for classifying and valuing information assets and who must comply. 3. Describe the role of employees in protecting information. 4. Provide for monitoring and enforcement."What is protected"The security policy statement should describe what information should be protected as well as the extent of allowabledistribution. Responsibilities should address all levels of the organizational structure, stating who is responsible forcomplying with the policy and who is responsible for making sure that the classifying policies are enforced. Eachemployee's security role should be spelled out; the consequences of non-compliance must be linked to those roles andattendant responsibilities."How is it enforced"Monitoring and enforcement address when the policy becomes effective, conditions under which the policy is enforced,and how it will be monitored. For instance, does it apply only for a specific group of employees while working in theorganization's facilities, or does it apply employees on travel or in the field. Normally, background on the need for apolicy is also incorporated."Keep it simple"The policy statement should be short, easy to read, and not incorporate technical terms. It must also be unambiguous,so that no one can be exempted from the requirements. One method of ensuring accountability is to incorporate anemployee acceptance page at the end of the document which must be signed and returned to appropriate managementpersonnel. This form could also become an annual requirement delivered as part of annual security awareness training. "Protect people as well as data"Don't forget that people can make or break a policy.1. Guard against and remove from unnecessary temptation inappropriate data that employees might be exposedto while fulfilling job responsibilities.2. Ensure management awareness of the need for security, and their participation in the development andimplementation of security policies.3. Insure the protection of sensitive or confidential data.4. Provide protection from acts that would cause malfunctions, errors and omissions, inaccuracy, unauthorizeddisclosure or destruction of data.5. Insure the controls and procedures are in place that allow immediate detection and countermeasureimplementation for information threats.6. Protect management from charges of imprudence in the event of information compromise.7. Insure the ability of the organization to survive business interruptions and function adequately afterwards.Developing the Final Security Implementation Program PlanThe typical areas a security program might include are identified below:Physical Security. Prudent measures to provide for physical security include the installation of appropriatefire-rated walls, physical access controls to the facility and processing areas, automatic fire detection and extinguishingsystems.Contingency Plan (Disaster Recovery Plan). This aspect of a security plan is based on the realization that if adisaster occurred, the organization must be able to resume its critical processing. It requires the identification of thoseapplications critical to survival, e.g., storage of the related operating systems, operator instructions, utilities, programs,and data in an off-site storage facility. The most crucial aspect of this program is testing the plan using the designatedalternate processing site. Many a disaster recovery plan has failed because it was never tested, and when it was needed,no one knew what to do.Protected Data Controls. Aside from personnel, the most vital computer-related assets are programs and data. They must be protected by proper identification and authentication of the user. Properly controlled, this will insure thatthe user is who he purports to be and that he is authorized to have access to the data. This control ultimately resides atthe disk level, but includes all computer security threats: interruption, interception, modification, and fabrication.Network Security. Networking systems have evolved into a highly technical discipline. Many organizations relyheavily on these systems to communicate and gather information. Because of this dependency, network systems normallyrequire special security processes, continual proactive security testing, contingency plans, and data access controls overand above corporate controls.Training and Awareness Program. Without some guidance at the user level regarding appropriate protectivemeasures and actions, the best conceived security plans are not going to cover everything that can happen. Training hasbecome an essential part of ensuring responsible employee use of their computing assets. "You need all of the pieces"Each area is critical for the overall security program posture, and each should be covered in final security plans andprocedures. However, the protected data controls area and the network security area set the baseline for formal ISSecurity programs, and are usually combined into the overall IS Security Plan for a corporation. The information flowand timeline for the overall security program is shown in Figure 1. Note that nothing can be done until a security policyis implemented, based on the initial business risk assessment. After that nothing should precede the formal IS riskassessment process, etc. Figure 1 - IS Security Program FlowConclusionThis article has provided a simplified overview of the principal corporate objectives in developing security policy andrelated plans. Each of the many topics can take many pages to cover adequately and this article hopes to encouragemanagers to look more deeply into the development of security policies and plans and subsequently develop a formalIS Security Plan, the Disaster Recovery Plan, and the procedures governing corporate physical security safeguards fortheir own enterprise. Each organization has its own different and unique computing needs and corporate objectives. Merging these two to allow easy acceptance of security controls while fully protecting the corporation's computerinformation assets is no simple task. BibliographyCarroll, John M., Computer Security, Butterworth-Heinemann, Newton, MA, 1995Pfleeger, Charles P., Security in Computing, Prentice Hall, Englewood Cliffs, NJ 07632Gabrielson, Bruce C., INFOSEC Engineering, Security Engineering Services, Chesapeake Beach, MD, 1995 |
|
