LESSON 7 - WEEK 7

Prepared by: Prof. Joel Correa Cacho

 PLANNING FOR SECURITY
• Topics for the Week 7
• Planning for Security

• Information Security Planning and Governance

• Information Security Policy, Standards and Practices
• The Information Security Blueprint
• Security Education, Training and Awareness Program
• Continuity Strategies
•  
 PLANNING FOR SECURITY
• Security planning is designing, implementing, monitoring, reviewing and continually
improving practices for security risk management. 
•  security plan specifies the approach, responsibilities and resources applied to managing
protective security risks.
THREE SECURITY PLANNING
 INFORMATION SECURITY
PLANNING AND GOVERNANCE
• Strategic planning sets out the long-term direction to be taken by the whole organization and
by each of its component parts. Strategic planning should guide organizational efforts and
focus resources toward specific, clearly defined goals.

• Planning Levels
• Once the organization’s overall strategic plan is translated into strategic plans for each major
division or operation, the next step is to translate these plans into tactical objectives that
move toward reaching specific, measurable, achievable, and time- bound
accomplishments. The process of strategic planning seeks to transform broad, general,
sweeping statements into more specific and applied objectives. Strategic plans are used to
create tactical plans, which are in turn used to develop operational plans.
SECURITY PLANNING PROCESS
 PLANNING AND THE CISO
• The first priority of the CISO and the information security management team is the creation
of a strategic plan to accomplish the organization’s information security objectives. The plan
is an evolving statement of how the CISO and the various elements of the organization will
implement the objectives of the information security charter that is expressed in the
enterprise information security policy (EISP).
 INFORMATION SECURITY
GOVERNANCE
• Governance is “the set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and verifying that the
enterprise’s resources are used responsibly.” Governance describes the entire process of
governing, or controlling, the processes used by a group to accomplish some objective.

• Information Security Policy, Standards and Practices

• Policy - is a plan or course of action that conveys instructions from an organization’s senior
management to those who make decisions, take actions, and perform other duties
 Policy must:
 
 Never conflict with laws
 Stand up in court, if challenged
 Be properly administered through dissemination and documented acceptance
 
Standards - are more detailed statements of what must be done to comply with policy.
 
Information Security Policy - provides rules for the protection of the information assets of the
organization.
 THREE TYPES OF SECURITY
POLICY
•Enterprise information security policies
•Issue-specific security policies
•Systems-specific security policies
 ENTERPRISE INFORMATION
SECURITY POLICY (EISP)
• general security policy, organizational security policy, IT
security policy, or information security policy. The EISP is
based on and directly supports the mission, vision, and
direction of the organization and sets the strategic direction,
scope, and tone for all security efforts.
ENTERPRISE INFORMATION SECURITY
POLICY (EISP)

Table 8 Components of the EISP

 ISSUE-SPECIFIC SECURITY POLICY
(ISSP)
• (1) addresses specific areas of technology, (2) requires frequent updates, and (3)
contains a statement on the organization’s position on a specific issue.
• An ISSP may cover the following topics, among others:
• E-mail
• Use of the Internet
• Specific minimum configurations of computers to defend against worms and viruses
• Prohibitions against hacking or testing organization security controls
• Home use of company-owned computer equipment
• Use of personal equipment on company networks
• Use of telecommunications technologies (fax and phone)
• Use of photocopy equipment
Table 9 Components of an ISSP
 SYSTEMS-SPECIFIC POLICY
(SYSSP)
• SysSPs often function as standards or procedures to be used when configuring or
maintaining systems. SysSPs can be separated into two general groups, managerial guidance
and technical specifications, or they can be combined into a single policy document.

• Policy Management
• To remain viable, security policies must have:
• Responsible Individual
• Schedule of Reviews
• Review Procedures and Practices
• Policy and Revision Date
 THE INFORMATION SECURITY
BLUEPRINT
• Security blueprint - is the basis for the design, selection, and implementation of all security
program elements including policy implementation, ongoing policy management, risk
management programs, education and training programs, technological controls, and
maintenance of the security program.

• ISO 27002 (ISO/IEC 17799) - The stated purpose of ISO/IEC 27002 is to “give
recommendations for information security management for use by those who are responsible
for initiating, implementing, or maintaining security in their organization.
Figure 18 BS7799:2 Major Process Steps
Source: Course Technology/Cengage Learning
ISO/IEC 27001:2005: THE INFORMATION
SECURITY MANAGEMENT SYSTEM

Table 10 The ISO/IEC 27001: 2005 Plan-Do-Check-Act

Cycle
 NIST SECURITY MODEL (NATIONAL
INSTITUTE FOR STANDARDS AND
TECHNOLOGY)
• NIST documents are publicly available at no charge and have been available for some time,
they have been broadly reviewed by government and industry professionals, and are among
the references cited by the federal government when it decided not to select the ISO/IEC
17799 standards.
• NIST Special Publication SP 800-12 - An Introduction to Computer Security: The NIST
Handbook
• NIST Special Publication 800-14 - Generally Accepted Principles and Practices for Securing
Information Technology Systems
• NIST Special Publication 800-18 Rev. 1 - The Guide for Developing Security Plans for Federal
Information
 DESIGN OF SECURITY
ARCHITECTURE
Spheres of Security - the spheres of security illustrate how information is under attack from a variety of sources.

Figure 19 Spheres of Security

Levels of Controls - Information security safeguards provide three levels of control: managerial, operational, and technical.
Defense in Depth - This layered approach is called defense in depth. To achieve defense in depth, an organization must establish multiple layers of
security controls and safeguards, which can be organized into policy, training and education, and technology.

Figure 20 Defense in Depth

Source: Course Technology/Cengage Learning
• Security Perimeter – defines the boundary between the outer limit of an organization’s
security and the beginning of the outside world.

Figure 21 Security Perimeters

Source: Course Technology/Cengage Learning
 
• Firewalls - is a device that selectively discriminates against information flowing into or out
of the organization. A firewall is usually a computing device or a specially configured
computer that allows or prevents access to a defined area based on a set of rules.
• DMZs - A buffer against outside attacks is frequently referred to as a demilitarized zone. The
DMZ is a no-man’s-land between the inside and outside networks; it is also where some
organizations place Web servers.
• Proxy Servers - An alternative to firewall subnets or DMZs is a proxy server, or proxy
firewall. A proxy server performs actions on behalf of another system. When deployed, a
proxy server is configured to look like a Web server and is assigned the domain name that
users would be expecting to find for the system and its services.
 Figure 22 Firewalls, Proxy Servers, and DMZs
Source: Course Technology/Cengage Learning
 
 INTRUSION DETECTION AND PREVENTION
SYSTEMS (IDPSS)
• To detect unauthorized activity within the inner network or on individual machines,
organizations can implement intrusion detection and prevention systems (IDPSs).
• Host-based IDPSs - usually installed on the machines they protect to monitor the status of
various files stored on those machines.
• Network-based IDPSs - look at patterns of network traffic and attempt to detect unusual activity
based on previous baselines.
 SECURITY EDUCATION, TRAINING,
AND AWARENESS PROGRAM (SETA)
• The SETA program is the responsibility of the CISO and is a control measure
designed to reduce the incidences of accidental security breaches by employees.
• Employee errors are among the top threats to information assets, so it is well worth
expending the organization’s resources to develop programs to combat this threat.

• Three Elements of SETA program:

• Security Education
• Security Training
• Security Awareness.
 CONTINUITY STRATEGIES
• Contingency Plan - is prepared by the organization to anticipate, react to, and recover from events that
threaten the security of information and information assets in the organization and, subsequently, to restore
the organization to normal modes of business operations.
• Types of Contingency Plans:
•  
• Incident Response Plans
• Disaster Recovery Plans
• Business Continuity Plans
•  
• Incident - is any clearly identified attack on the organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
• Incident Response (IR) Plan - addresses the identification, classification, response, and recovery from an
incident.
• Disaster Recovery (DR) Plan - addresses the preparation for and recovery from a disaster, whether natural or
man-made.
• Business Continuity (BC) Plan - ensures that critical business functions continue if a catastrophic incident or disaster
occurs.
Contingency Planning Management Team (CPMT)
-Champion
-Project Manager
-Team Members

Figure 24 Major Steps in Contingency Planning

Source: Course Technology/Cengage Learning
• Business Impact Analysis
• BIA is an investigation and assessment of the impact that various attacks can have on the organization. It
takes up where the risk assessment process leaves off. It begins with the prioritized list of threats and
vulnerabilities identified in the risk management process 

• Incident Response Planning

• Incident response planning includes the identification of, classification of, and response to an incident. The
IR plan is made up of activities that are to be performed when an incident has been identified.

• Disaster Recovery Planning 

• is the process of preparing an organization to handle and recover from a disaster, whether natural or man-
made. The key emphasis of a DR plan is to reestablish operations at the primary site, the location at which
the organization performs its business. The goal is to make things whole, or as they were before the disaster.

• Business Continuity Planning

• prepares an organization to reestablish critical business operations during a disaster that affects operations at
the primary site. If a disaster has rendered the current location unusable, there must be a plan to allow the
business to continue to function.
END OF LESSON 7

THANK YOU