Reflections

For my first blog and dive into the world of information security I choose to use my blog to summarize the week of learning's for each of our 10 weeks. Because I am not a cybersecurity student but pursuing a masters focusing on healthcare and technology I choose a more broad and high level approach for this blog. My weekly blogging helped me solidify each week by focusing on:

1. Security and Project Management
2. Strategic Planning and Governance
3. Contingency and Incident Planning
4. Information Security Policy Development
5. Security Training and Awareness
6. Metrics and Process Measurement
7. Risk Management Cycle
8. Tools and Strategy to Control Risk
9. Technology Strategy for Information Security
10. Roles in Information Security

I did rely heavily on three sources for information: our text book, SANS.org and NIST documentation. I also supplemented that with Google images to find appropriate graphs and pictures as I truly believe that a picture is worth a thousand words.

I think this blog could be very interesting to someone like me looking for a broad base and understanding of information security methodologies and how to apply these to the broader information technology arena.

Who pulls this all together...

Proper resourcing and role and responsibility definition is a major step in an effective information security program.

The sample structure below from ISACA shows the relationship of the major security functions and the high level role support required including:

• CIO - Vision and strategy for information support for business strategy

Not included in this visual but no less important are role and responsibilities defined for these roles as well

• CISO - Vision and strategy for security of information and it's support for the business strategy.
• Security Manager - Day to day operations manager of information security functions
• Security Administrator - Administration of security policies and technology.
• Security Technician - Technical specialist for various technology groups (e.g. firewalls, servers, software, etc)
• Security Officer - Physical security staff and environmental protection.

Layers of protection

Now to focus on the tools and technology behind the protection mechanisms....

Just as there are many facets of information security there are many layers or nets of protection that should be employed to create the most secure environment

Beyond the multiple technologies we should be aware of the 4 key concepts for security of information:

1. Identification- The mechanism that provides basic information about an unknown entity to the known entity that it wants to communicate with.
2. Authentication - The validation of a user's identity. Authentication devices can depend on one or more of four factors: what you know, what you have, what you are, and what you produce.
3. Authorization - The process of determining which actions an authenticated entity can perform in a particular physical or logical area.
4. Accountability - Do not forget the importance of documentation of actions on a system and the tracing of those actions to a user, who can then be held responsible for those actions. Accountability is performed using system logs and auditing.

Controlling risk

Now that we have identified risk - how do we control it? How do we know what risks should be addressed and what should not be addressed?

There are four main strategies for controlling risk...

1. Avoid - Do not engage in the activity that incurs risk or create an environment where there is no risk for the activity.
2. Reduce or mitigate - Develop controls to reduce the risk to an acceptable level.
3. Transfer- Move the risk to another entity, for example, outsourced vendor.
4. Accept - Choose to not address the risk based on completion of due diligence.

What helps an organization understand which strategy to use? Ultimately feasibility and cost benefit analysis tools will create the picture for an organization to weigh the strategy to pursue. For example, if the cost is too high in comparison to the benefit maybe this risk is a candidate for acceptance or mitigation strategy.

There are several standard methodologies for risk management and risk control. These include templates and tools for calculating risk.

Delphi - http://www.projectsmart.co.uk/delphi-technique-a-step-by-step-guide.html

OCTAVE - http://www.cert.org/octave/

Microsoft - http://technet.microsoft.com/en-us/library/cc163143.aspx

FAIR - http://fairwiki.riskmanagementinsight.com/

Information security = Organizational risk

Ultimately information security is about risk. What is an organization's risk tolerance to information security breaches? How does an organization know what their tolerance may be without understanding what the outcome of a breach is before it happens?

So what really is risk?...simply put:  Risk = Probability + Severity

Seems simple how does an organization really understand their risk so it can identify, assess and prioritize what needs attention? Answer --> Risk Management

Risk Management:

Risk management has specific process divided into risk identification and assessment and risk control.

Reference for great visuals:

Vlajic, N.. "Security Risk Management."CSE 4482 Computer Security Management: Assessment and Forensics. N.p., n.d. Web. 4 May 2013. http://www.cse.yorku.ca/course_archive/2010-11/F/4482/CSE4482_03_SecurityRiskManagement_Part1.pdf

Is my ISMS working?

So we now understand where our risk is from an information security perspective, we have created policies and procedures to support our organizational goals and best practice and we have educated our information system user base on these standards to support best practice.

Has this created the desired outcome? Are we more secure with our information?

Now the real hard work starts....

Without measures and metrics and continued diligence and redefinition the process and implementation will not be as successful - period. This work is very hard difficult but ultimately allows us to continually improve our system, understand where the opportunities are and effectiveness of the solutions we have implemented.




"What gets measured, gets managed" - Peter Drucker

Security Education, Training and Awareness

Policy is only part of information security - there are two other critical aspects to a complete security program and plan: training and awareness.

Per SANS (www.sans.org):


• Policy tells the user what to do
• Training provides the skills for performing it
• Awareness changes their behavior

If users do not know what they are suppose to do it is a policy issue. If the users do not have the skills for
performing it, then it becomes a training issue.

Quite often the user does not understand why it is important and this is a behavioral issue that needs to be changed.

It is also very important to understand that security awareness is not just a single event but a process where  the approach is reviewed continuously and improved and sustained by metrics and success measures.

Source: SANS - Securing The Human

Information Security Policy Creation

Why information security policy is so important?

"The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality"  (Special Publication SP 500-169, Executive Guide to the Protection of Information Resources)

What are information security policies and how do they support this goal?

• Policy - High level approach and definition of the information security approach that will be taken high senior management.
• Standards - The steps that must be followed to support the policy.
• Guidelines - Recommended steps to follow to support the standards and policy.
• Procedures - The step by step, standard work to be used to carry out policy. Incorporating best practice and required controls.

Contingency Planning

A big part of security planning is being prepared for the inevitable a failure that stops or hinders operations of business. These can come in many ways, shapes and forms including malicious attacks, mother nature and just plain human mistakes.

Contingency planning has four key part that have their own planning and task requirements.

Business Impact Analysis (BIA) includes:

• Threat Attack Identification and Prioritization
• Business Unit Analysis
• Attack Success Scenario Development
• Potential Damage Assessment 
• Subordinate Plan Coordination

Incident Response Planning (IRP) includes:

• Incident Planning
• Incident Assessment
• Incident Reaction
• Incident Recovery

Disaster Planning Recovery (DRP) includes:

• Plan for Disaster Recovery
• Crisis Management
• Recovery Operations

Business Continuity Planning (BCP) includes:

• Establish Continuity Strategies
• Plan for Continuity of Operations
• Continuity Management

A total contingency plan includes all phases and will kick in during various times and sequence during an identified incident or disaster:

Plan:        IRP -------------------> DRP--------------------> BCP-------------------->DRP

Timeline: Attack Begins                  Post-attack (hours)           Post-attack (days)         Normal operations

Planning and Governance

So we have started a few weeks ago with a discussion of the importance of information security on business and how project management methodologies can improve and increase the success of implementation and monitoring of information security...lets call these the what and how.

How about the why?

Ultimately an IT Governance and strategic planning must incorporate the security needs of a business. Only by aligning the goals of the entire organization with the IT efforts will we realize the full benefits of such resource intensive and costly endeavors.

So lets, first and foremost, make sure we are "doing the right work" and not necessarily focusing on "doing the work right" at this point in time.

Strategic and tactical planning give us a solid framework for governance - both long term goals and short term goals that are measurable.

Security and Project Management

Took me a while to wrap my brain around the McCumber cube but I now understand how this tool can be used to evaluate information security programs based on the universal attributes of desired goals, information states and safeguards.

Much of the conversation and article reviews this week had a recurring theme that people, not technology are a main failure point  for security breeches...I am sure this will be revisited more in the future. In my research I also found an interesting website that I will want to revisit during the course: SANS Institute InfoSec Reading Room http://www.sans.org/reading_room/

The second major learning was how heavy this course will use the methodologies of project management in support of information security management and monitoring. I feel much more comfort with project management material and will enjoy employing what I already know of it to information security. 

We start with the basic building block tools of a good PM to see what a security project would entail and the work need to complete it:

• Work Breakdown Structure (WBS)
• Gantt Charts
• PERT

A good website that will help along the way with its thorough and free templates: http://www.projectmanagementdocs.com/

I'm back!

Back on my master's pursuit journey after a brief hiatus and starting up with Information Security class again. Let's dive in the McCumber Cube again...