Fundamentally, information security assurance is a business issue that must be addressed in the context of the enterprise business framework. This article provides an overview of the challenges that constrain responsible security management and offers strategies as well as specific tools and techniques for evaluating, controlling, and implementing security across an enterprise. The following topics are included:
- Fundamental principles of information security
- Foundation security terminology
- Security roles and responsibilities
- Security policies, procedures, standards and guidelines
- Security risk management
Fundamental principles of information security
Information assurance is based on three core principles:
- Confidentiality: prevent unauthorized disclosure of sensitive information for data at rest, in transit or during transformation.
- Integrity: prevent unauthorized modification, replacement, corruption or destruction of systems or information.
- Availability: prevent disruption of service and productivity, addressing threats that could render systems inaccessible.
This section will touch briefly on examples of typical security vulnerabilities related to each of these principles (i.e., denial-of-service attacks related to availability) and on the challenges of mitigating them through security awareness, timely security patching, system hardening and remote-access control, encryption, network monitoring and intrusion response, and developer attention to fault tolerance and coding quality. Minimizing organizational damage is stressed, for instance, by swift response to intrusions and recovery from incidents using intrusion-response teams and efficient backup and recovery methods.
Foundation security terminology
The following foundation terminology will be introduced, defined and related: vulnerability, threat, risk, exposure and countermeasure.
Security roles and responsibilities
This section provides an overview of security responsibility as it relates to enterprise roles. The importance of layering security responsibilities across enterprise roles is stressed, and those roles typically connected to security are explored. (i.e. data owner, custodian, user, auditor, senior manager and security professional). The challenges surrounding security awareness and training, hiring and termination practices, operational security skill and knowledge level (in support of these and other roles) are touched on.
Deeper discussion is provided regarding the primary management roles (executive, administrative and operational). Government mandates, such as HIPAA and Sarbanes-Oxley, make it abundantly clear that management executives are ultimately responsible for the protection of all organizational assets, including private and proprietary information. Failure can result in stiff corporate -- and even personal -- penalties. Therefore, greater emphasis is placed on the exploration of executive management responsibility, which covers formalizing the security program and leadership, insuring that, above all else, management understands, respects and upholds their legal and ethical obligations to their employee workforce, owners or stockholders. Thus, a top down, rather than bottom up approach, is stressed. As is interlocked layering of security efforts across the enterprise to provide appropriate security oversight and redundancy; the challenges posed by competing strategic, tactical and operational goals are also covered.
On the tactical side, administrative and operational security responsibilities include topics such as translating executive policies into actionable processes and procedures, the adoption of standards and guidelines that support the security program, development of procedures and processes and the vigilant monitoring and enforcement of these measures to insure compliance with executive management policy. Throughout this section the need for due care and diligence, separation of duties and other generally accepted information security practices are emphasized.
Security policies, procedures, standards and guidelines
Security policies are the tangible manifestation of executive management's security vision. Policies provide explicit direction for tactical and administrative efforts. The anatomy of a quality enterprise security policy is comprehensively covered, which includes discussion of the mission statement, organizational security policy elements, issue-specific policy elements that target areas of concern and system-specific policy elements. The unique characteristics that make up different policy types, such as regulatory, advisory or informative, are also contrasted as are the areas of control, including accountability measures, physical and environmental tactics, administrative and access controls, cryptography, business continuity planning, and computer operations and incident handling. Instances where security policy defines the objectives, standards, baselines and guidelines provide the methods that will be used to accomplish the goal. By means of these methods, procedures are derived that transform policies into actionable tasks, providing step-by-step instructions to insure that the organization remains in compliance with security policy.
Security risk management
One of the most important aspects of security management is learning how to judge and justify security investment. Security risk analysis must consider a broad range of enterprise impacts, including the cost of physical environment damage, human error, equipment malfunction, hacking (from inside and outside the organization), misuse or loss of data, and application error, among others. Applicable risk management techniques are discussed, and clear guidance is provided on to how to approach the challenge of balancing investments in security against other organizational requirements whose importance may differ greatly depending on whether the organization is operating in the public, military or private industry. Included are overviews of concepts, such as data classification, which describes the sensitivity of data (including classification levels as they are applied to private versus military organizations), risk prioritization, cost/benefit comparisons and corporate security risk mitigation strategies. The relationship of threat agents to vulnerabilities, and the types of risks they can induce are also presented.
Risk analysis depends heavily on asset and information valuation, which can vary widely among organizational individuals. Therefore, multi-disciplinary involvement is recommended. Either a quantitative (fact-based) or qualitative (perception-based) approach can be used, which can be applied by manual or automated means. The advantages of each are contrasted. A systematic, quantitative approach is described in detail, which includes determining what enterprise requirements must be fulfilled, approaches to input gathering, determining loss potential (immediate or delayed) assigning cost/benefit quotients, adjusting for the cost of applying countermeasures, identifying potential threats (including those resulting from non-malicious stimulus), estimating threat frequency, and selecting the optimal countermeasures that will transfer, or reduce risks. Step-by-step instructions are provided as to how to calculate exposure factors, annualized rate of occurrence, single and annualized loss expectancy, and total versus residual risk. The range of options for mitigating risk is explored, as are the functionality and effectiveness of common solutions. The alternative qualitative approaches discussed, which include the Delphi Technique for group decision-making, storyboarding, brainstorming and surveys, give the reader a well-rounded overview of risk analysis options.
- Now that you've been introduced to the key concepts of Domain 1, watch the Domain 1: Security Management Practices video
- Return to the CISSP Essentials Security School main page
- See all SearchSecurity.com's resources on CISSP certification training
CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as ISC(2).
This was first published in September 2008