Documente Academic
Documente Profesional
Documente Cultură
Review
Information Security
Governance & Risk
Management Domain
Version: 5.10
CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons
Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite
900, Mountain View, California, 94041, USA.
Learning Objectives
-2-
Learning Objectives
-3-
Learning Objectives
Breadth of Knowledge
InfoSec & Software
Risk Telecom Dev. Access
Security
Management & Cryptography Security BCP & DRP Control
Netowrk
Architecture Legal,
& System Ops Physical
Investigation,
Design Security &
Security Ethics -6-
Information Security Concept
Security Objectives
• Confidentiality
– “Preserving authorized restriction on information access and
disclosure, including means for protecting personal privacy
and proprietary information.” (44 USC Sec. 3542)
• Integrity
– “Guarding against improper information modification or
destruction, and includes ensuring information non-
repudiation and authenticity.” (44 USC Sec. 3542)
• Availability
– “Ensuring timely and reliable access and use of information.”
(44 USC Sec. 3542)
-7-
Information Security Concept Law, Regulations, and Policies:
·
Security Implementation Principles FISMA, SOX, GBL, National Security Act,
USA PATRIOT ACT, etc.
· OMB A-130, A-11, etc.
• Confidentiality, Integrity, Availability · E.O. 13292, 12968, etc.
· DoD 5200.1-R, etc.
• Need-to-know Security Objectives:
– Users should only have access to · Confidentiality
· Integrity
information (or systems) that enable · Availability
them to perform their assigned job
functions. Standards and Best Practices
· NIST FIPS, SP 800-x, etc.
• Least privilege · COBIT, ITIL, Common Criteria
· ISO/IEC 27001, 21827, etc.
– Users should only have sufficient · DoDI 8500.2, 8510.01
access privilege that allow them to Security Implementation
perform their assigned work. Principles:
· Confidentiality, Integrity,
• Separation of duties Availability
· Need-to-Know
– No person should be responsible for · Least Privilege
· Separation of Duties
completing a task involving sensitive,
valuable or critical information from the Benchmarks and Guidelines:
beginning to end. · NIST National Checklist, DISA STIGs, CIS
Benchmarks, etc.
– No single person should be responsible
for approving his/her own work.
-8-
Information Security Concept
-9-
Information Security Concept
Indirectly affects
threat agent exploits the Risk
discovered vulnerability. Reduces/
Eliminates
• Countermeasure / safeguard.
And causes an
An administrative, Counter
measure
operational, or logical Can be countered by a
Security Controls
“Security controls are the management, operational,
and technical safeguards or countermeasures
employed within an organizational information system
to protect the confidentiality, integrity, and availability
of the system and its information.”
– What security controls are needed to adequately mitigate the
risk incurred by the use of information and information
systems in the execution of organizational missions and
business functions?
– Have the selected controls or is there a realistic plan for their
implementation?
– What is the desired or required level of assurance (i.e.,
grounds for confidence) that the selected security controls,
as implemented are effective in their application?
Reference: NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems.
- 11 -
Information Security Concept
- 13 -
Information Security Concept
- 14 -
Information Security Concept
• Functional requirements
Assurance
Example:
Functional
Requirements
Requirements • VLAN technology shall be created
For establishing
For defining security
confidence that the to partition the network into multiple
behavior of the IT
product or system.
security function will mission-specific security domains.
perform as intended.
• The integrity of the internetworking
architecture shall be preserved by
the access control list (ACL).
- 16 -
Information Security Concept
Evaluation
EAL Assigned
Reference:
- Draft NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, February 2013.
- ISO/IEC 15408, Common Criteria Evaluation & Validation Scheme (CCEVS), Version 2.3, August 2005.
- 17 -
Information Security Concept
• Due Diligence
– Continual actions that an organization are doing to protect
and minimize risk to its tangible and intangible assets.
- 19 -
Information Security Concepts
Information Assurance
“Defense-In-Depth” Strategy
People People
Executing
Operations Operations
Technology Supported by
Technology
References
• NSA IA Solution Directions, Information Assurance Technical Framework, Release 3.1
• ISO/IEC 27002:2005, Code of Practice for Information Security Management
- 21 -
Information Security Concept
- 23 -
Answers:
• What are the three security objectives?
– Confidentiality
– Integrity
– Availability
- 24 -
Questions:
• What are the eight security “best practices”?
–
–
–
–
–
–
–
–
Typical Outputs:
– Policies, Standards, and Procedures
– System Security Plan (SSP) or System Security Authorization
Agreement (SSAA)
– ST&E Report, Risk Statement, and POA&M for Risk Mitigation
- 28 -
Information Security Management
- 29 -
Learning Objectives
Executive Orders
Organizational
DoD Directives
Policies
Joint Doctrines
Process:
Guidelines:
Standards: DITSCAP / Procedure:
Standards Process Procedure Guidelines DISA STIGs
DoD Regulations DIACAP DoD Manuals
NSA SNAC SCGs
SIPRNet CAP
- 31 -
Information Security Governance
Policies
Policies:
• Explain laws, regulations, business/mission needs, and
management expectations (goals & objectives).
• Identify roles and delineate responsibilities.
• Federal (/Civil)
Implementation
Policies
• Military
– DoD Directives, Instructions, Manuals, etc.
• Intelligence
– Director, Central Intelligence Directives (DCID).
- 32 -
Information Security Governance
- 33 -
Information Security Governance
Standards
Standards:
• Mandatory activities, actions, and rules for the
execution of management (or administrative)
policies
Examples:
• Federal (/ Civil)
– Federal Information Processing Standards (FIPS)
• Military Law, Regulations
• Commercial (/ Industry)
– ISO/IEC 27001, BS 7799, etc.
Standards Process Procedure Guidelines
- 34 -
Information Security Governance
Standards
• DoD 5200.28-STD Trusted
Computer System
Evaluation Criteria (TCSEC)
– Evaluates Confidentiality.
Orange Book Canadian Criteria
(TCSEC) 1985 (CTCPEC) 1993
ISO 15408-1999
Common Criteria • Information Technology
UK Confidence Federal Criteria (CC)
Levels 1989 Draft 1993 V1.0 1996
V2.0 1998
V2.1 1999
Security Evaluation Criteria
(ITSEC)
German ITSEC – Evaluates Confidentiality,
Criteria 1991
Integrity and Availability.
French
Criteria • Common Criteria (CC)
– Provided a common
structure and language.
– It’s an International standard
(ISO 15408).
- 35 -
Information Security Governance
• ISO/IEC 27002:2005 is a
“Code of practice” for
information security
management
Reference:
ISO/IEC 27001:2005, Information Security Management Systems - Requirements, 2005.
ISO/IEC 27002:2005, Code of Practice for Information Security Management, 2005.
- 36 -
Information Security Governance
•
Policies
- 37 -
Information Security Governance
Guidelines
Guidelines:
• Frameworks or recommendations that facilitate
implementation of policies, standards, processes,
and procedures.
Examples:
• Federal (/ Civil)
– NIST Special Publications (NIST SP 800 series).
• Military
– NSA-IATF, NSA-IAM, NSA-IEM. Law, Regulations
• Commercial Functional
Implementation
Policies
- 38 -
Question:
• What are the four types of documents that provide
governance to IT security?
–
–
–
–
- 39 -
Answer:
• What are the four types of documents that provide
governance to IT security?
– Policy
– Standard
– Procedure (or Manual)
– Guideline
- 40 -
Learning Objectives
- 42 -
Information Classification
- 44 -
Questions:
• What is the importance of information classification?
–
- 45 -
Answers:
• What is the importance of information classification?
– Explains the sensitivity of the information, and the level of
protection required to meet the security objectives
- 46 -
Notes on NIST SP 800-59
The information classification concept is also
implemented for information systems that store,
process, and distribute national security information…
• NIST SP 800-59, Guideline for Identifying an
Information System as a National Security System,
August 2003.
– It’s a guideline for identification only,
– It does not discuss how information should be managed, and
– Agencies have to establish their own policies
- 47 -
Learning Objectives
- 49 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Requirements Requirements
Design Design
Implementation Implementation
Verification Verification
Maintenance Maintenance
- 50 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference: http://csse.usc.edu/people/barry.html - 51 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
- http://www.cs.bgsu.edu/maner/domains/RAD.htm
design process, coding, test & integration, technical and
project reviews etc.
Reference:
- 52 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference: B. Boehm, J.A. Lane, Using the Incremental Commitment Model to Integrate System Acquisition,
Systems Engineering, and Software Engineering, CrossTalk, October 2007.
- 53 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Requirements
Analysis
Detailed
Architecture Design
Design
Coding and
Detailed Debugging
Design Subsystem
Coding and Testing
Detailed Debugging
Design Subsystem
Coding and Testing
Debugging
Subsystem
Testing
System Testing
Deployment
Reference: Rapid Development: Taming Wild Software Schedules, Steve McConnell,
Microsoft Press, 1996
- 54 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference:
* J. Gorman, G. Kim, Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed, RSA Conference 2012
(http://www.slideshare.net/realgenekim/security-is-dead-long-live-rugged-devops-it-at-ludicrous-speed)
** Jon Jenkins, Velocity Culture, O’Reilly Velocity 2011, (http://www.youtube.com/watch?v=dxk8b9rSKOo)
- 56 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
INCOSE SE
Handbook
(2000 - 2010)
MIL-STD 499 MIL-STD 499A MIL-STD 499B
(1969) (1974) (1994)
ISO/IEC 15288
(2002 - 2008)
Software Engineering
ISO/IEC 12207 ISO/IEC 12207
(1995) (1996 - 2008)
DOD-STD 2167A
(1988)
DOD-STD 7935A
(1988)
- 58 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Software
Process Software
Acceptance
Implementation Installation
Support
Project
System
Software Software
Requirements Qualification
Analysis Testing
Software
Software
Architectural
Integration
Design
Software
- 60 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Stakeholder
Project Planning
encompasses: Acquisition Process
Process
Requirements
Definition Process
Disposal Process
* Note: ISO/IEC 15288 is identical to IEEE Std 15288
- 61 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Configuration
Integration Process
Life Cycle Model Management Process Software Construction Software Validation
Management Process Process Process
Information
Verification Process
Infrastructure Management Process Software Integration Software Review
Management Process Process Process
Validation Process
Human Resource Software Problem
Validation Process
Management Process Resolution Process
Operation Process
Quality Management
Process Software Reuse Processes
Maintenance Process Domain Engineering Reuse Program
Process Management Process
Fabrication
Assembly,
System Preliminary Detailed
Integration
Definition Design Design
& Test
(FAIT)
- 63 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference: NIST SP 800-64, Rev 2,Security Considerations in the Information System Development Life Cycle.
- 64 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
PHASE 6:
PHASE 2:
67
It starts at the beginning of a SDLC…
DoD
IEEE 1220 Acquisition Key System Engineering Tasks Key Security Engineering Tasks*
SDLC
User Needs & Task 1: Discover Mission/Business Needs Task 1: Discover Information Protection Needs
Technology • Understand customer’s mission/business goals (i.e., initial • Understand customer’s information protection needs (i.e.,
Opportunities capability, project risk assessment) infosec. risk assessment)
• Understand operating environment (i.e., sensitivity of
• Understand system concept of operations (CONOPS)
information assets, mode of operations)
Concept • Create high-level entity-data relations model (i.e., system
Stage Concept • Create information management model (IMM)
context diagram)
Refinement
• Define engineering project strategy and integrate into the • Define information protection policy (IPP) and integrate into
overall project strategy the project strategy
• Create system engineering management plan (SEMP) • Create system security plan (SSP) and integrate into SEMP
Milestone A Task 6: Assess project performance in meeting mission/business needs
- 72 -
Questions:
• What classic system development life cycle (SDLC)
model allows system engineers go back to the
previous step?
–
- 73 -
Questions:
• What classic system development life cycle (SDLC)
model allows system engineers go back to the
previous step?
– Modified Waterfall
- 74 -
Learning Objectives
What is a Risk?
• Risk is the relationship between the likelihood of a
loss and the potential impact to the business (/
mission).
- 76 -
Risk Management
• Vulnerability. A weakness or
Leads to
flaw that may provide an Vulnerability
Indirectly affects
• Risk. The likelihood of a threat Reduces/
Risk
Asset
vulnerability. Can damage
» VZ (Verizon)
» USSS (United States Secret Service)
Risk Management
Risk Mgmnt.
Risk Identification Risk Prioritization Risk Monitoring
Planning
Reference: Software Risk Management, B. Boehm, IEEE Computer Society Press , 1989.
- 79 -
Information Security Management
“All Security Involves Trade-offs”
• Step 1: What assets are you trying to
protect?
• Step 2: What are the risks to these assets?
• Step 3: How well does the security solution
mitigate those risks?
• Step 4: What other risks does the security solution
cause?
• Step 5: What cost and trade-offs does the security
solution impose?
Fundamental revisited
• Risk assessment activities: risk identification, risk
analysis, and risk prioritization
• Risk control activities: risk management planning, risk
resolution, and risk monitoring
Risk Management
Risk Mgmnt.
Risk Identification Risk Prioritization Risk Monitoring
Planning
Reference: Software Risk Management, B. Boehm, IEEE Computer Society Press , 1989.
- 83 -
Risk Management
- NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments, Sept. 2011
· Software CIs Preparing for Risk · System Functions
· System I/Fs · System & Data Criticality
· Data & Info.
Assessment · System & Data Sensitivity
· People (System Characterization) · Information Management
· Mission Model (IMM)
· Threat-source motivation
· Threat capacity Determine Likelihood
· Likelihood Rating
· Nature of vulnerability of Occurrence
· Current controls
Reference:
· Risks & Associated Risk
· Likelihood of threat
Levels
exploitation
· Information Protection
· Magnitude of impact Determine Risk Plan (IPP)
· Adequacy of planned or
· Plan of Actions &
current controls
Milestones (POA&M)
- 84 -
Risk Management
Serious
• Exposure Factor (EF). Percentage of (Moderate) 1 2 3
loss from a specific threat. Mild (Low) 1 1 2
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are low, medium, or high.
- 85 -
Risk Management
- 86 -
Risk Management
–
Organized Crime modification /
International Press (Moderate) (Likelihood =
Moderate)
Active Attacks
destruction
(Integrity)
Risk Value = 2
- 87 -
Risk Management
- 88 -
Questions
• What are the two types of risk analysis methods?
–
–
- 89 -
Answers
• What are the two types of risk analysis methods?
– Qualitative
– Quantitative
- 90 -
Learning Objectives
Concept
• Certification is a disciplined approach to evaluate
level of conformance to the prescribed security
requirements and the implemented security controls
to a security enclave.
- 93 -
Certification & Accreditation (C&A)
- 94 -
Information Security Management
- 96 -
Certification & Accreditation (C&A)
- 97 -
Certification & Accreditation (C&A)
DIACAP
INFOSEC Enhancements
INFOSEC Enhancements
ASSESSMENTS
(Level I)
EVALUATIONS
(Level II)
RED TEAM
(Level III)
- 100 -
Security Assessment
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Page 101
Security Asssessment
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act Reference:
• T. Sanger, Keynote Address, 7th Annual IT Security Automation
Agency’s defensive operation Conference, Oct. 31, 2011.
• T. Keanini, Boyd’s OODA Loop and Continuous Monitoring, 7th
Agency’s security automation-enabled cyber operations Annual IT Security Automation Conference, Oct. 31, 2011.
Page 102
Questions:
• When should risk assessment be performed in a
typical system life cycle?
–
- 103 -
Answers:
• When should risk assessment be performed in a
typical system life cycle?
– Risk management is a life cycle activity. Risk assessment
should be performed periodically throughout the system life
cycle
- 104 -
Questions:
• In qualitative risk assessment method, what are the
two variables for determining risks?
–
- 105 -
Answers:
• In qualitative risk assessment method, what are the
two variables for determining risks?
– Likelihood and Impact.
- 106 -
Learning Objectives
Check-in Baseline
Change
Report Change
Status to CCB
Close CCR
- 108 -
Configuration Management
- 109 -
Configuration Management
Deviation
Security configuration
Security configuration
benchmark for SWCI-3
benchmark for SWCI-2
Security configuration
Security configuration
Security configuration
Deviation
benchmark for SWCI-1
An IT asset
Page 110
Configuration Management
Sub-agency security
posture reporting data
Organization
Enterprise Sec. Mgmt
& Oversight
Organizational-Level Context and
Perspectives
Organizational IT assets
References:
* The Global State of Information Security 2008, CSO Online (http://www.csoonline.com/article/print/454939)
- 114 -
Personnel Security
References: Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model, CERT
Program, Software Engineering Institute and CyLab at Carnegie Mellon University, June 2009.
- 115 -
Learning Objectives
121
Project Management
122
Project Management
Activity
4 x FTE
Activity
(e.g. development of a functional
module, software code, etc.) 3 x FTE
1 x FTE
Time
123
Project Management
124
Project Management
Reference:
• The Principle of Scientific Management, by Frederick Winslow Taylor, 1911.
• http://en.wikipedia.org/wiki/Critical_path_method
• http://en.wikipedia.org/wiki/PERT 125
Project Management
126
Project Management
127
Project Management
t = 7 wk
1.3 t = 5 wk
C t = 2 wk
G
E
1.0 A 1.1 B 1.2 F 1.5
t = 3 wk
t = 3 wk t = 4 wk D H
t = 5 wk
t = 8 wk 1.4
128
Management Methodologies
129
Management Methodologies
130
Some serious facts about the current state of federal IT
projects
• Government Accountability Office (GAO) reported:
– “… for fiscal year 2006, nearly 25% of the funds (IT budget)
requested, totaling about $15 billion, were considered by
OMB to be at risk.”
– “In the case of risk assessment, supporting documentation
for about 75% of the investments did not address OMB’s
required risk categories.”
• Government Computer News (GCN) reported a
survey from 104 Federal IT executives:
– Reasons for program over-run are…
• 65+%: Poor program management.
• 54%: Scope creep.
– Key to reduce number of failed agency IT projects is…
• Training.
Resource:
• GAO-06-250 Information Technology: Agencies Need to Improve the Accuracy and Reliability of Investment Information.
• http://www.gcn.com/online/vol1_no1/42733-1.html 131
Project Management
Reference:
• http://www.acq.osd.mil/pm/historical/ansi/ansi_announce.html
• http://www.ndia.org/Content/ContentGroups/Divisions1/Procurement/NDIA_PMSC_EVMS_IntentGuide
_Jan2006U1.pdf 132
Project Management
133
Project Management
134
Project Management
= CV (-$50k)
Budget at
Completion
$450k ACWP (BAC)
CV
$400k BCWP
BCWP = $400k
ACWP = $450k
CV = - $50k
Actual Costs CPI = .89
t0 Time
137
Project Management
CV
Question: $400k BCWP
Answer: t0 Time
138
Project Management
$500k BCWS
= SV (- $100k) Budget at
Completion
SV
(BAC)
$400k BCWP
BCWP = $400k
BCWS = $500k
SV = - $100k
SPI = .80
t0 Time
139
Project Management
Budget at
Completion
SV
(BAC)
Question:
If SPI < 1 then how $400k BCWP
140
Project Management
Project Recovery
$$
Project
Recovery Budget at
Completion
$450k ACWP (BAC)
$400k CV BCWP
BCWP = $400k
ACWP = $450k
CV = - $50k
Actual Costs CPI = .89
t0 Time
141
Project Management
Project Recovery
• Use CPM to find task dependencies.
• Use PERT to locate effect(s) on schedule.
• Use Cause-Effect (Fishbone) to locate problem.
Major cause category Major cause category
Secondary cause
142
Validation Time…
1. Classroom Exercise
2. Review Answers
- 143 -
Exercise #1: Build Security In
• A civilian agency is planning an acquisition of an
information system…
– Please identify key security engineering tasks required.
- 144 -
Exercise #2: Risk Management Process
• A civilian agency is planning an acquisition of an
information system that will assess the security
configuration settings of IT assets in a Secret-System
High operating enclave.
– Please identify the attributes required to enable you to
determine the information protection needs.
- 145 -