Beruflich Dokumente
Kultur Dokumente
The contents of this document are the copyright of C-DAC. No part of the
contents may be used or reproduced without prior permission from C-DAC.
Acknowledgements:
Department of Information Technology, Government of India.
Introduction
In this lesson, an overview of security management is presented. We will discuss the
important concepts of security management, what is Information Security Management
System (ISMS) and the activities of security management. We will also study the eight
principles of security management that are very important while designing secure systems.
Security Management
Any information system is prone to attacks—by internal users (employees) or by external
users (hackers). An information system can be considered “secure” if it is free from ill-
effects of attacks. However, it is impossible to develop a perfectly secure system. Hence,
the main objective of security management is to minimize the damage of possible attacks.
The management has to specify the security objectives, develop the procedures and
evaluate the system. The management has to provide enough security controls so that the
users develop trust on the information system.
In most organizations, security is managed ‘reactively’. When something goes wrong, then
the management will react to that situation and will try to find out what went wrong. This
reactive management is not a healthy management. Management has to proactively
manage the security. Proactive management involves: identification of information assets,
study the current practices for securing the information assets, identify the threats and
vulnerabilities and then identify the mechanisms to provide the necessary security features.
Cost benefit analysis and risk analysis are the two important activities in this direction. The
proactive managers have to develop the necessary security policies and procedures. In
addition, management has to invest in training the people and installing security products
to achieve the security goals.
Human threats can be either intentional or unintentional. Intentionally, users may destroy
or steal information. Sometimes, unintentionally users may delete files or lose backup files.
to identify the threats to the information assets and information systems, analyze the
vulnerabilities, define and assess risk and then work out the countermeasures to be
implemented.
The security system needs to have three components: specifications or policy that defines
what the system is supposed to do; implementation or mechanism that describes how to
achieve the requirements specified in the policy; and assurance, the process of checking
whether the system really meets the security requirements.
Operational Issues
In many organizations, security is not given enough thrust mainly because investment on
security may not yield direct benefits though it costs a lot for the management. The
management has to carry out cost-benefit analysis and risk analysis before deciding on the
likely investment in security. The laws and customs also need to be studied while
formulating the security policy. For example, enough thrust has to be given to intellectual
property rights, copyright laws and liability laws. If one employee violates copyright laws or
intellectual property laws, the organization may have to pay severe penalties. Hence,
people management is of prime importance. Information systems need to be protected
from outside attacks by hackers. Equally important is protection from the insiders that is
employees as many security violations are due to the employees and ex-employees of the
organization. Lazy system administrators also contribute significantly to security
vulnerabilities. If the system administrator does not upgrade an operating system patch or
an anti-virus software, it is likely that the information systems will be attacked without
much difficulty.
Risk Analysis
To carry out a realistic cost benefit analysis, the management has to do a systematic risk
analysis. The management’s objective should be to reduce the risk of losing the information
or losing the availability of systems and networks, to the extent possible. Risk analysis is
done in four phases. To start with, vulnerability analysis is carried out. This analysis is to
study the loopholes of the present systems and networks. After that, the risk is assessed by
estimating the impact of the vulnerabilities on the information. Once all the possible risks
are identified, then the risk items have to be prioritized based on the impact. Then the
management has to work out the strategies to reduce the risks. As risk analysis and risk
management are very important management activities, we will discuss them in more detail
in a separate lesson.
Security Assurance
The management has to take the necessary steps to protect its information assets and this
has to be done by following a very systematic process. The process of ensuring that the
information management system meets its security goals is called security assurance. The
security assurance process can be divided into five sub-processes. These are security
requirements specifications, design of a security system, implementation of the system,
testing the system to ensure that it meets the requirements and periodically auditing the
system to check whether any improvements can be made.
Formal Methods
During the research on information security during the last few decades, lot of ‘formal’
methods have been developed. Formal methods try to remove the vagueness that is
inherent in natural language description of security requirement specifications and
verification. However, unfortunately, only in academic and research circles, these formal
methods are very popular. These methods are yet to find wide acceptance in commercial
environment. A number of formal specification and verification languages have been
developed to specify and verity security systems. These methods are used extensively to
specify and verify security protocols, cryptographic protocols such as key distribution,
authentication protocols etc. The main advantage of these formal methods is that you can
specify the requirements in unambiguous terms. If you specify the requirements in a
natural language say English, then there will be lot of ambiguity. But then, you need to
have the mathematical inclination of a Professor to get into formal methods and most of the
system administrators and information security officers do not appreciate the importance of
these formal methods.
The various formal evaluation methodologies are: Trusted Computer System Evaluation
Criteria (TCSEC), Information Technology Security Evaluation Criteria (ITSEC) and Common
Criteria (CC). We will discuss the details of these methodologies in a separate lesson.
ISMS
In security management, the concept of Information Security Management System (ISMS)
is very important. The information assets of your organization, the computers and the
networks, the applications and all the information processing technologies together become
the information system. To provide the security, you need to develop the security
objectives, security policy, various security controls that have to be put in place and the
security procedure documents. These form the components of the ISMS.
After the various components of ISMS are put in place, you need to check whether the
ISMS meets the security objectives. This process is security assurance. Security assurance
is similar to quality assurance. You need to define the process and the procedures and show
documentary evidence that you are really following the procedures. A number of
Overview of Security Management Page 4 of 7
Course on Cyber Security
international standards and frameworks have been developed which describe the best
practices for security management. These include: ISO 17799 or BS 7799, SSE-CMM and
OCTAVE. We will study about these standards and frameworks in more detail later.
example consider cryptography. You need not keep the cryptographic algorithm secret at
all. You need to keep secret only the keys. As long as your cryptographic algorithm is very
strong, there is nothing wrong in making the algorithm public. Of course, those who do not
subscribe to this principle can argue that by keeping the algorithm secret, the hacker will
have more difficult time trying to decode the text—after all, first he has to try out different
algorithms and then try to decode the text.
Vulnerability Analysis
Keeping in view the eight principles described above, the information system security has
to be designed and implemented. But then, there is no guarantee that the system is fully
secure. So, periodically, vulnerability analysis has to be carried out to find out the loopholes
in the security system. This is done through a systematic testing by simulating attacks. The
attacks can be insider attacks (by employees) or outsider attacks (by external users). By
simulating the insider attacks and outsider attacks, the vulnerability analysis is done and
loopholes are discovered. Nowadays, ‘ethical hackers’ are being employed to do the
vulnerability analysis. Note that vulnerability analysis requires lot of ingenuity.
Security Products
After the loopholes are found out, the next step is to prevent attacks by introducing the
necessary security features into the information systems. A number of security products
such as anti-virus software, intrusion detection systems, intrusion prevention systems,
firewalls, access control systems, forensic tools etc. need to be installed so that the
information systems are protected from hackers.
The major suppliers of security products are: Check Point, Cisco, Jupiner Networks, McAfee,
Portwise, RSA Security, Symantec, Trend Micro, Watchguard etc. You may like to go
through their web sites which give a wealth of information on security and their products.
However, note that just installing high-end security products is not enough; policies,
procedures and trained people are a must for a system to be really secure.
Summary
• Security management involves identification of information assets, current security
practices, threats and vulnerabilities and development of security policy, security
procedures and training the people.
• The top management has to commit itself to information security by allocating the
necessary resources and identifying the persons responsible for information security.
• Security management can be divided into three important activities: requirements
specifications which describe what the system is supposed to do; implementation
which describes how to do and assurance which is the process to check whether the
system is really working as per the requirements.
• Information Security Management System (ISMS) covers the information assets,
systems and networks and all related information processing technologies.
• The various components of ISMS are: security objectives, security policy, security
controls and security procedure documents.
• While designing a security system, the eight design principles need to be kept in
mind.