ICT Policies and Information Security
BIS Implementation – Topic 9
General Security Concepts
Now, generally refers to an individual who attempts to gain unauthorized access to computer systems or networks
Means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The CIA of Information Security
From its inception, the goal of information security has been threefold:
Confidentiality: Ensures that only those individuals who have authority to view a piece of information may do so.
Integrity: Only authorized individuals should ever be able to create or change (or delete) information.
Availability: Ensures that the data, or system itself, is available for use when the authorized user wants it.
Which property of information security is affected when an IT support person is able find out how much each employee in the company earns?
Which property of information security is affected when a web site suffers from a denial-of-service attack?
Other Goals of Information Security
As a result of increased use of networks for commerce, two additional security goals have been added
Authentication: Attempts to ensure that an individual is who they claim to be.
Non-repudiation: Deals with the ability to verify that a message has been sent and received and that the sender can be identified and verified.
The Operational Model of Information Security
Protection = Prevention + (Detection + Response)
Every security measure falls into one of these three categories
Three approaches to address the protection of computer networks:
Ignore security issues
Perhaps because the organization decides that the security threats are too small
Provide host security
Providing protection to individual computers and devices, e.g., host-based intrusion detection systems
Provide network-level security
Emphasizes the control of access to internal computers from external entities, e.g., firewalls, network intrusion detection systems.
A subject (could be a user, application, or process) should have only the necessary rights and privileges to perform its task with no additional permission.
This principle states that if you haven’t specifically been allowed access, then it should be denied.
Separation of Duties
A task is broken into different duties, each of which is accomplished by a separate individual.
Drawbacks: Increased cost (time and money)
Individuals gain a better perspective on how the various parts of IT can enhance (or hinder) business.
Organization suffers less from turnover of security staff
The use of multiple layers of security measures to secure information assets.
Diversity of Defence
Use of different techniques or technologies at different layers of security, e.g., use products produced by different vendors
Security Through Obscurity
Involves protecting something by hiding it, e.g., hiding a house key under a doormat
Considered effective if the protection mechanism is confusing or thought to be not generally known
Does not provide real protection. Fails if the secret becomes known.
Keep It simple
You can’t secure something if you don’t understand it.
Verification of a user’s identity, i.e., to prove that the user is who he or she claims to be.
Something you know, e.g., password
Something you have, e.g., security token
Something about you (something that you are), e.g., your fingerprint
Use of a combination of the above approaches for authentication, e.g., taking cash out from an ATM machine involves:
Something you have (the bank card)
Something you know (the password)
The ability to control whether a subject (an individual or process) can interact with an object.
Once a user is authenticated, access controls regulate what the individual can actually do on the system
Involves the use of access control list (ACL)
ACL is a mechanism used to define whether a use has certain access rights
The process of convincing an authorized invidual to provide confidential information or access to an unauthorized individual.
Human factor – the weakest link in information security
Example: dumpster diving
Countermeasure: training and education
Policies are high policy statements created by management that lay out the organization’s positions on particular issues.
Procedures are step-by-step instructions that prescribe exactly how employees are expected to ac in a given situation or to accomplish a specific task.
Standards (in this context) describe the mandatory elements regarding the implementation of a policy.
Some security-related policies
Change management policy
Describes how to request, approve, implement and document a change in IT infrastructure.
Classification of information
Acceptable use policy
Internet usage policy (Example)
Email usage policy (Example)
Due care or due diligence
Defines reasonable care
Guarantees fairness in relation to an individual’s legal rights, e.g., privacy
Need to Know
Goes hand-in-hand with least privilege
Disposal and Destruction Policy
Service Level Agreement (SLA)
Human Resources Policies
Employee hiring and promotions
Retirement, separation, or termination of employees
Disaster Recovery and Business Continuity
Can be caused by people or nature (e.g., flood, earthquake, etc.)
How long business is disrupted depends on how prepared it is for a disaster
Disaster Recovery Plans / Process
A disaster recovery plan (DRP) defines the data and resources necessary and the steps required to restore critical organizational process.
Business impact assessment (BIA) for DRP design:
Who is responsible for the operation of this function?
What do these individuals need to perform the function?
When should this function be accomplished relative to other functions?
Where will this function be performed?
How is this function performed (what is the process)?
Why is this function so important or critical to the organization?
Importance of reviewing the DRP
Categories of Business Functions
Business Continuity Plans (BCP)
For many organizations, BCP = DRP
Focus of BCP: continued operation
Focus of DRP: recovery and rebuilding of business, the protection of human life
DRP can be viewed as part of BCP
BCP describes the functions most critical to the organization and the order in which functions should be returned to operation
Should include an IT contingency plan
Recovery strategy for IT systems or applications, operations, and data after a disruption.
A key element in any BCP or DRP
Factors to consider:
How frequently should backups be conducted?
How extensive do the backups need to be?
What is the process for conducting backups?
Who is responsible for ensuring backups are created?
Where will be the backups be stored?
How long will backups be kept?
How many copies will be maintained?
What Needs to Be Backed Up
Data that an organization relies on to conduct its daily operation
Application programs needed to process the data
Operation system and utilities that the hardware platform requires to run the applications
Strategies for Backups
Size of backup
Time required to conduct backup
Frequency of backup
Who is responsible for backup
Where will backups be stored (alternative sites?)
How long will backups be maintained
Computer Incident Response Teams (CIRT)
Also known as Computer Emergency Response Team (CERT)
Conducts investigation into an incident and make recommendations on how to proceed
Consists of permanent and ad hoc members
Consists of technical as well as non-technical personnel (who can to provide guidance on ways to handle media attention, legal issues, and management issues).
Members should be notified of membership before an incident occurs
Test, Exercise, and Rehearse
All key individuals should know their role in the plan.
Organizations should practice its DRP periodically.
Group discussion of an “incident”
Tests on certain aspects of the plan
Full operational exercise to test all aspects of the plan
It is important to perform as many recovery functions as possible without impacting ongoing operations
Conklin, W. A., White, G., Williams, D., Davis, R., Cothren, C., Schou, C. (2012) “Chapter 2: General Security Concepts.” Principles of Computer Security: CompTIA Security+ and Beyond, 3rd Edition, McGraw-Hill.
Conklin, W. A., White, G., Williams, D., Davis, R., Cothren, C., Schou, C. (2012)”Chapter 19: Disaster Recovery, Business Continuity, and Organizational Policies.” Principles of Computer Security: CompTIA Security+ and Beyond, 3rd Edition, McGraw-Hill.