LO Materials for M0792_13th Meeting Learning Objectives: Describe the importance of information security in organization Identify the key

he key concept of information security Identify the five basic outcomes of information security governance Explain the major tasks in contingency planning Identify security architecture models and security management models Describe the residual risk, access controls, and firewalls

INTRODUCTION WHY ORGANIZATION NEEDS INFORMATION SECURITY? Richard Menta, writing in SCmagazine in 2005, commented on recent research of the top 350 UK companies listed on the Financial Times: Four out of five investors indicated that a significant breach in security would have a major impact on share price. Two thirds said it would influence a decision to buy or sell shares. Nearly nine in ten expected board members to be aware of, and to be able to review, their companys infosec vulnerabilities, and 57 percent thought they should know about the companys information risk strategy. [Richard went on to make a case for keeping stakeholders informed about an organizations information security status - an interesting perspective on security awareness. Topping the list of nine steps to safety was Persuade senior managers to embrace a security culture and give staff continuous access to security and privacy information and training.] We have invested in firewalls, antivirus systems and other security technology. Every one of those products was no doubt sold to us on the basis of its effectiveness but we still suffer severe information security breaches and the problems are getting worse, not better. Whats going wrong? The answer according to Gartner is that 80% of unplanned downtime is due to people and processes. COSO makes the point that Internal control is effected by people. Its not merely policy manuals and forms, but people at every level of an organization. In their network security survey report, Meta estimated that 30% of IT security relates to technology, and 70% relates to people and practices. According to Forrester Technology alone cant address one of the most difficult aspects of any security programme, the human element. In the end, it is usually people who make the simple mistakes or commit the crimes that lead to most security breakdowns. Martin Smith, principal of The Security Company, puts it thus: We must stop developing increasingly technical solutions for increasingly obscure problems at the expense of the blindingly obvious. Systems malfunctions and human error or ignorance will cost you far more than viruses, cybercrime, phishing or Denial-of-Service attacks.

The State of Information Security 2005 survey by CIO Magazine and PricewaterhouseCoopers noted Respondents also identified several top strategic priorities for the coming year. In descending order, these are: disaster recovery and business continuity; employee awareness programs; data backup; enterprise information security strategy; enhanced network firewalls; a centralised information security management system; periodic security audits; employee monitoring; monitoring security reports such as log files or vulnerability reports; and protecting intellectual property. Things are looking up at last! The 2005 Australian Computer Crime and Security Survey noted: The top vulnerabilities reported closely matched the top security management challenges for organisations. Inadequate staff training in computer security management (47%) and poor security culture within organisation (40%) were among the top vulnerabilities reported. This compares to 61% of respondents who identified changing users (staff) attitudes and behaviour towards computer security practices a challenge for them. Survey respondents overwhelmingly acknowledged that they need to do more to ensure an appropriate level of IT security qualification, training, experience or awareness for general staff, IT security staff and management. Broadly similar findings were reported by Deloitte in their 2005 Global Security Survey of financial services companies. Respondents to this years survey point to a host of continuing challenges to the business. Chief among them are the increasing sophistication of threats (63%) and the lack of employee awareness and training (48%), both of which may create an environment of exploitable vulnerabilities and weak operational practices. It is clear why executives consistently cite risk management as the most important reason for investing in security.
(Source : The true value of information security awareness by Dr Gary Hinson PhD MBA CISSP http://www.noticebored.com/html/why_awareness_.html )

PAGE 1 - WHAT IS INFOSEC? Information security (infosec) is the protection of information and its critical characteristics (confidentiality, integrity, and availability), including the systems and hardware that use, store, transmit that information, through the application of policy, training and awareness programs and technology. (Whitman & Mattord, 2010) Information security is the process of protecting information. It protects its availability, privacy and integrity. Access to stored information on computer databases has increased greatly. More companies store business and individual information on computer than ever before. Much of the information stored is highly confidential and not for public viewing. (wisegeek.com) http://www.wisegeek.com/what-is-information-security.htm Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. Wikipedia

says, "Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. (sans.org) http://www.sans.org/information_security.php

(Whitman & Mattord, 2010) {dapat dibuatkan animasi yang menarik gambar diatas disertai dengan warna-warna yang menarik}

PAGE 2 KEY CONCEPTS OF INFORMATION SECURITY The C.I.A. triangle, which is the basis of the CNSS model of information security, has been the industry standard for computer security since the development of the mainframe. The C.I.A. triangle is founded in three desirable characteristics of information- confidentiality, integrity, and availability. (Whitman & Mattord, 2010) The CIA triad is a well-known model in information security development. It is applied in various situations to identify problems or weaknesses and to establish security solutions. It is an industry standard that information systems professionals should be familiar with. (cippguide.org) https://www.cippguide.org/2010/08/03/cia-triad/

Confidentiality

C.I.A. Triangle

Integrity

Availability

{untuk menampilkan segitiga ini dapat menggunakan animasi berputar dgn combinasi warna yang bagus} {ketika sorot/click Confidentiality muncul text} Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. {ketika sorot/click Integrity muncul text} Integrity is the quality or state of being whole, complete, and uncorrupted. {ketika sorot/click Availability muncul text} Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction.

PAGE 3 INFORMATION SECURITY GOVERNANCE The Governance of information security is a strategic planning responsibility whose importance has grown in recent years. According to the Information Technology Governance (ITGI), information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, establishment of objectives, measurement of progress toward those objectives, verification that risk management practices are appropriate, and validation that organizations assets are used properly. (Whitman & Mattord, 2010)

The five basic outcomes of information security governance: 1. Strategic alignment of information security with business strategy to support organizational objectives 2. Risk management by executing appropriate measures to manage and mitigate threats to information resources 3. Resource management by utilizing information security knowledge and infrastructure efficiently, and effectively 4. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved. 5. Value delivery by optimizing information security investments in support of organizational objectives. (Whitman & Mattord, 2010) The Corporate Governance Task Force (CGTF) recommends following a governance framework , the framework called the IDEAL model, is named for its stages.

IDEAL is a service mark of Carnegie Mellon University {animasi gambar di mulai dari I D E A L , setelah itu tulisan yg ada di dalam baru muncul} PAGE 4 CONTINGENCY PLANNING The overall process of preparing for unexpected events is called contingency planning (CP). CP is the process by which the information technology and information security communities of interest position their respective organizational units to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets, both human and natural. The main goal of CP is to restore normal modes of operations with minimal cost and disruption to normal business activities after an unexpected event in other words, to make sure things get back to the way they were within a reasonable period of time. (Whitman & Mattord, 2010)

Activity undertaken to ensure that proper and immediate follow-up steps will be taken by a management and employees in an emergency. Its major objectives are to ensure (1) containment of damage or injury to, or loss of, personnel and property, and (2) continuity of the key operations of the organization. (businessdictionary.com) http://www.businessdictionary.com/definition/contingencyplanning.html
The Major task in Contingency Planning

(Whitman & Mattord, 2010) {bagan di atas dibuat menarik dengan kombinasi beberapa warna}

The Contingency Planning Implementation Timeline

(Whitman & Mattord, 2010) {bagan di atas dibuat menarik dengan kombinasi beberapa warna}

PAGE 5 ENTERPRISE INFORMATION SECURITY POLICY One Implementation model that emphasizes the role of policy in an information security program in the bulls-eye model. The bulls-eye model has become widely accepted among information security professionals. In this model, issues are addressed by moving from the general to the specific, always starting with policy. Figure bellow illustrates the four layers of the bulls-eye model.

1. Policies: The outer layer in the bulls eye diagram 2. Networks: The place where threats from public networks meet the organizations networking infrastructure. 3. Systems: Computers used as servers, desktop computers, and systems used for process control and manufacturing systems. 4. Applications: All applications systems, ranging from packaged applications, such as office automation and e-mail programs, to high end enterprise resource planning (ERP) packages, to custom application software developed by organization. (Whitman & Mattord, 2010)

An enterprise information security policy (EISP) also known as a security program policy, general security policy, IT security policy, high-level information security policy, or more simply, information security policy-set strategic direction, scope, and tone for all of an organizations security efforts. The EISP assigns responsibilities for the various areas of information security, including maintenance of information security policies and the practices and responsibilities of end users. In particular, the EISP guides the development, implementation, and management requirements of the information security program, which must be met by information security management, IT development, IT operations, and other specific security functions. (Whitman & Mattord, 2010) Component of the EISP 1. Statement of Purpose 2. Information Technology Security Elements 3. Need for Information Technology Security 4. Information Technology Security Responsibilities and Roles 5. Reference to Other Information Technology Standards and Guidelines (Based on documents from Washington University in St. Louis, Whitman & Mattord, 2010)

PAGE 6 ORGANIZING FOR SECURITY The organizations size and available resources also directly affect the size and structure of the information security program. Organizations with complex IT infrastructures and sophisticated system users are likely to require more information security support. Large, complex organizations may have entire divisions dedicated to information security, including a CISO, multiple security managers, multiple administrators, and many technicians. Information Security Staffing in a Large Organization

Information Security Staffing in a Medium Small Organization

This table outlines the suggested functions for a successful information security program. These functions are not necessarily performed within the information security department, but they must be performed somewhere within the organization.

(Whitman & Mattord, 2010)

PAGE 7 SECURITY MANAGEMENT MODELS Security Architecture Models Security architecture models illustrate information security implementations and can help organizations to quickly make improvements through adaptation. Trusted Computing Base The Trusted Computer System Evaluation Criteria (TCSEC) is a DoD standard that defines the criteria for assessing the access control in computer system. ITSEC The Information Technology System Evaluation Criteria (ITSEC), an international set of criteria for evaluating computer systems, is very similar to the TCSEC. The Common Criteria The Common Criteria for Information Technology Security Evaluation (often called Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. Bell-LaPadula Confidentiality Model The Bella-LaPadula (BLP) confidentiality model is a state machine model that helps ensure the confidentiality of an information system by means of MACs, data classification, and security clearance. Biba Integrity Model The Biba integrity model is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust that lower ones. Clark-Wilson Integrity Model The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. Graham-Denning Access Control Model The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights. Harrison-Ruzzo-Ullman Model The Harrison-Ruzzo-Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not. Security Management Models The ISO 2700 Series NIST Security Models SP 800-53A COBIT COSO Information Technology Infrastructure Library Information Security Governance Framework (Whitman & Mattord, 2010)

PAGE 8 MANAGING RISK Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for-in other words, residual risk. Expressed another way, Residual risk is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards. In the Figure bellow illustrates how residual risk persists even after safeguards are implemented.

(Whitman & Mattord, 2010)

PAGE 9 PROTECTION MECHANISMS Access Controls Access control encompasses four processes: obtaining the identity of the entity requesting access to a logical or physical area (identification), confirming the identity of the entity seeking access to a logical or physical area (authentication), determining which actions that entity can perform in that physical or logical area (authorization), and finally documenting the activities of the authorized individual and systems (accountability).

In the figure bellow depicts some of the biometric and other human recognition characteristics for authentication.

Firewalls A firewall is any device that prevents a specific type of information from moving between the ouside world, known as the untrusted network (e.g., the internet), and the inside world, known as the trusted network. The firewall may be a separate network containing a number of supporting devices. In the figure bellow, implementing firewalls as packet filtering firewalls.

SUMMARY Because business and technology have become more fluid, the concept of computer security has been replaced by the concept of information security. The C.I.A. triangle is based on three desirable characteristics of information: confidentiality, integrity, and availability. Information security governance is the process of creating and maintaining the organizational structures that manage the information security function within an enterprise. Contingency planning is made up of four major components: the data collection and documentation process known as the business impact analysis (BIA), the incident response (IR) plan, the disaster recovery (DR) plan, and the business continuity (BC) plan. A policy may be viewed as a set of rules that dictates acceptable and unacceptable behavior within an organization. In the largest organizations, specific InfoSec functions are likely to be performed by specialized groups of staff members; in smaller organizations, these functions may be carried out by all members of the department. Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. Residual risk is the amount of risk unaccounted for after the application of controls. A firewall in an information security program is any device that prevents a specific type of information from moving between the outside world (the untrusted network) and the inside world (trusted network).

Exercise 1. The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. Risk Appetite correct answer b. Residual Risk c. Risk Management d. Managing Risk 2. Confirming the identity of the entity seeking access to a logical or physical area? a. Identification b. Authorization c. Authentication correct answer d. Accountability

3. Device that prevents a specific type of information from moving between the ouside world, known as the untrusted network (e.g., the internet), and the inside world, known as the trusted network? a. Access Control b. Router c. Wifi d. Firewall correct answer 4. An international standard (ISO/IEC 15408) for computer security certification? a. ITSEC b. Trusted Computing Base c. The Common Criteria correct answer d. Clark-Wilson Integrity Model 5. Security management model include all of the following except: a. COBIT b. NIST Security Models c. Information Technology Infrastructure Library d. Information Security Governance Models correct answer 6. Information Security Staffing in a Medium Small Organization except: a. CISO correct answer b. Security Manager c. Security Administrator d. Security Technician 7. List of the layer in the bulls Eye Model except: a. Policies b. Systems c. Management correct answer d. Applications 8. The Major task in Contingency Planning except: a. BIA b. IRP c. DRP d. BCI correct answer 9. The C.I.A. Triangle, except: a. Confidentiality b. Integrity c. Accessibility correct anwer d. Availability

10. The protection of information and its critical characteristics (confidentiality, integrity, and availability), including the systems and hardware that use, store, transmit that information, through the application of policy, training and awareness programs and technology. a. InfoSec correct answer b. Security c. ITGI d. CGTF