Unit 2 Information Assurance Planning Process PDF

Summary

This document covers the Information Assurance Planning Process, including topics like asset management, risk management, and information assurance policy. It explores different aspects of information security, such as asset types and responsibilities, risk definitions, and the CIA triad.

Full Transcript

Unit 2
In for m a t i on Assurance
P l a n n i n g Process
Topic 1: Asset Management
 Asset Types
There are different types of assets

Tangible Intangible

Examples of Tangible Examples of Intangible
1. Data files 1.Reputation
2. Physical assets 2.Workforce skillset
 Organization’s Assets

Data / Information People

Hardware Service

Intangible Software
Responsibilities of Assets
provides adequate levels of security
assigned to identified entities
risk management and security responsibilities
provides accountability for asset protection

Three Controls A s s i g n i n g Responsibility
Inventory Ownership Acceptable Use
 Inventory, Ownership,
Acceptable Use
Inventory Ownership Acceptable Use
Identify and record Assets have Develop policies and
information about the established owners guidelines
assets
Responsibility of Similar categories covered
security of assets under the same policy
Movements and changes
are documented and Disclosure and release of
Review of Classification
information are cited
updated and use authorisation
Classification Classification is based on value
and impact

and Handling determines the level of
*confidentiality
*integrity
*availability
Ensures data protection and cost
Organising information by
effectiveness
sensitivity and loss, disclosure,
modification and unavailability.

Two controls in place
Classification Guidelines
&
Information labeling and handling
 Classification Guidelines
Considers:

Organised by information needs and impact
Security classification
in case of breach
Information assurance
Originator is responsible for classifying and
Information owners
protecting information based on policies and
Business, Industry, and
procedures
Legal requirements
Organisation Culture

Classification Process
Creation ->access control implementation ->method of process ->information disposal
 Labeling a n d Handling
Organisations must develop information handling
protocols based on the policy on classification
This preserves information assets

Confidentiality, Integrity, and
Handling information have
Assurance have their labeling
storage or process procedures.
systems.

Indication of where, how, and
For example;
what.
Most Confidentiality labellings used:
secret, confidential, restricted, and public
Topic 2: Risk Management
 Background

Risk Management in the context of Information Assurance &
Security is the process of managing the risks involved in
Information Technology systems. These include identifying,
assessing, and acting on risks to data confidentiality or
integrity.
 D e f i n e Risks
1 The measure or the extent of which an entity is
threatened by circumstance or event.
2 The likelihood of a threat event occuring.
Risk M a n a g e m e n t
Process
Background Planning
 Critical Elements

1. Establish the Aim, Scope and
Boundary

Establish the risk evaluation
2 criteria.
 Asset A n a l y s i s

Analyze your assets based on their type
(Hardware, Software, People, Services, Platforms)

Determine their owner, the value and their impact to the
organization using the CIA triad
 U s i n g the CIA Triad

Confidentiality: What happens if people could see this?

Integrity: What happens if people could change this?

Accessibility: What happens if authorized users can’t use
this?
Threat Analysis
The H u m a n
Threat The Motive: The Opportunity:

Are they in a position to
Why would they do
do damage? Do they
Inpractice, threat analysisis conducted it? Is it money, know a firewall
while referring to a database of known curiosity, power, or vulnerability or can
revenge? they physically enter
major threats. sensitive areas?

Human threats are divided into three
dimensions.
The Means:

Can they actually do it? Do they have the expertise to
damage our systems, or the means to hire someone
with the expertise?

addendum: Accidents are still a human threat. They
don’t mean to damage the systems, but an untrained
or careless user can still cause a cybersecurity event
 N a t u r a l Threats

Natural threats are typically weather-related phenomena.
ex: Typhoons causing flooding, damaging hardware.

Other natural threats may be earthquakes, volcanic
eruptions, or sinkholes. Organizations should take proper
precautions and research the local area.
 Vulnerability A n a l y s i s

Identify the vulnerabilities for which threat
events. The goal is to identify flaws or
weaknesses that the threat can exploit.
 Vulnerability
Analysis
A vulnerability management
Vulnerability Analysis can be
team should use advisories from
accomplished by using lists manufacturers, or online databases to
or databases identify vulnerabilities.
 Risk Identification

Risks should be identified as early as possible.

A good practice is to brainstorm with the risk management team. If
the team lacks the expertise, outside help should
be brought in.
 Risk A n a l y s i s

Risk is estimated by how much damage it can cause, and how
likely it is to happen.

The goal of Risk Analysis is to identify what methods are in place to
control the risk, and the strengths/weaknesses of the system.
Diagram

A detailed
diagram of the
risk analysis
process by the
American NIST.
Risk Matrix

A qualitative approach to
risk analysis using the
“quadrants” method.
Risk in the “Low”
category may be
ignored or lowered in
priority
 Risk Treatment
Basing off of the risk assessment:

Avoid risk: If the activity causes risk, don’t do it.

Reduce Likelihood of Occurrence
Reduce the consequences
Transfer Risk: Insurances, partnerships, etc.
Accept Risk: Just let it happen.
 Monitoring
Risks
Periodical Risk Assessment should Organizations should develop “risk
be conducted. Risk reviews should dashboards”. This ensures that the risks
occur when there are changes to are monitored in accordance to their
priority.
the I.T. infrastructure.
 Integration w/ Other
M a n a g e m e n t Practices

Budgeting: Business Planning:
Risk management requires Organization may have a busin ess plan.
resources that may otherwise be Certain exercise such as SWOT & PEST
may be used in risk analysis.
used in other areas of the
organization.

Internal Audit: Periodic Reporting
Organizations should use data from A periodic report is a tool that
Management may use to monitor risks
the risk management team to aid in
Frequency of the reporting should
internal auditing & control reviews. be based on impact of the risk.
Topic 3: Information Assurance
Policy
I n f o r m a t i o n Assurance Policy

It is the practice of managing risks involving
information such as the use, storage,
transmission and processing. This includes the
systems or devices that are being used in the
process.
 Importance

It prevents unauthorized access, use, disclosure,
disruption, modification, or destruction of the data
Pillars of Information
Assurance Security
Confidentiality Integrity Availability

Non-
Authenticity
repudiation
 Confidentiality

Assures that unauthorized people do not have access
to any information and every information that is
transferred must be encrypted wherein only
authorized people have the ability to decrypt it.
 Integrity

This assures that the system is capable of protecting the
data thus the information shall retain its original state. It
ensures that no one can tamper and modify the information
without authorization.
 Availability

This ensures that the people who are guaranteed access
have easy and timely access to the information. Wherein
information is available even during unexpected scenarios.
 Authenticity

Ensures that the information transmitted through parties are
accurate and specific. The system must be capable of
preventing impersonation and must confirm the identities
before giving access to the information.
 Non-repudiation

Ensures that both parties receive confirmation or proof
that their messages are delivered to the correct individuals
which means by confirming these identities both parties
shall allow each other to send or receive data respectively.
 Topic 4: H u m a n
Resouce Assurance

This chapter discusses controls that
can be used to reduce human risks.
 Recruitment
There are four essential
areas of focus applicable to the
recruitment process.

Inclusion of information assurance aspects in the job scope and
description.
Defined level of confidentiality or sensitivity required
Filling the vacant positions with suitable candidates
Use of legal documents to enforce information assurance
 Include Security i n Job
Scope/Description

The job scope and description should give a clear
explanation about employees’ roles, responsibilities, and
authorities in the organization. It is crucial to state the
access level during the employee’s tenure.
A defined job scope and description eliminates “gray”
areas about employee responsibilities and how to
respond in different situations.
Organizations may consider using an information assurance
workforce framework such as the United States National
Initiative for Cybersecurity Education (NICE). NICE provides
organizations with a common understanding and lexicon for
information assurance workforces.
 The NICE framework features:

1. Operate and Maintain 5. Analyze

2. Protect and Defend 6. Securely Provision

Oversight and. Investigate 7. Development

end of framework
4. Collect and Operate * features
 Defined Level of Confidentiality or
Sensitivity

Employees should have only sufficient access to perform
their duties and to avoid disclosure
of information to unauthorized personnel. There are two
general principles that apply when
granting access: job division and employee rights
restriction.
 F i l l i n g the P o s i t i o n
Individuals should be placed in specific positions within
an organization based on their qualifications.
the position's confidentiality level, suitable screening,
and selection methods. Insert the the best candidate
for the job.
 Use of Legal Documents to Protect
Inf or m at ion

Acceptable use policies and other binding documents and
agreements should be used to remind employees of their
responsibilities and commitment to the organization.
Relate this to information assurance. Two documents used
frequently as legally binding in organizations: employment
contract and nondisclosure agreements (NDAs).
 Employment
contract
An employment contract is an agreement between the organization and the
employee defining all the terms and conditions of employment. Hence, from
the point of view of information assurance, the employee’s information
assurance roles and responsibilities should be defined pertaining, but not
limited to, copyright, data protection rights, information ownership,
information management, and information classification.
 NDA
An NDA defines the identity of the organization and the employee, the level
of confidentiality of the information covered, and to whom information may
not be divulged. Hence, an employee should sign an NDA before they have
access to the organization’s information systems or facilities. Furthermore,
an NDA agreement should be reviewed whenever terms and conditions of
employment change.
Rotation of Duties
rotation of duties is a form of control that
minimizes fraud. It may also keep an
individual from staying in a job position for
long periods; it helps manage their level of
motivation.
Rotation of Duties

keeping an employee in one job position for
extended periods may lead the
employee to having too much control over
certain business functions. Such employee
control may lead to fraud, can lead to misuse
of resources, or may even jeopardize data
integrity.
 Monitoring a n d Privacy
Expectations

Organizations must ensure they clearly
delineate the expectations of the employee in
terms of privacy when it comes to employee-
owned devices or employees using
organizational equipment for personal use.
 Monitoring a n d Privacy
Expectations

Organizations may offer a de minimus policy for
employees that states an employee may use
organizational information systems and resources for
personal use during a break or lunch period as long as
there is no material cost to the organization. de minimus
is Latin for “minimal things,” and in risk assessment it
refers to a level of risk too low to be concerned with.
 Monitoring a n d Privacy
Expectations

If the organization is intercepting the connection and
decrypting the information,
it may be wading into the waters of a privacy violation.
Organizations must work carefully with their legal
departments to determine appropriate policies for work-
life balance that ensure proper scoped monitoring can be
performed when needed.
BYOD
 Periodic M o n i t o r i n g

An organization may perform
periodic monitoring of employees’ activities
to detect potential fraud. Clearly, this must
be consistent with local laws; however, it is
important for employees to know that such
monitoring may take place.
 Periodic M o n i t o r i n g

The organization should be cautioned against
routine and undisclosed monitoring
because this may trigger employees’
uneasiness: feelings that they are not being
trusted and are being spied upon.
 Employee T r a i n i n g a n d
Awareness

The recruitment process does not stop once
an employee is hired. The new employee
will be trained to perform job-specific tasks
including information assurance duties and
responsibilities.
 Disciplinary Process

Establish and explain a formal disciplinary
process for all employees specific to security
breaches. The disciplinary process should
ensure that employees suspected of
committing any security breach are treated
correctly and fairly.
 Disciplinary Process

Establish and explain a formal disciplinary
process for all employees specific to security
breaches. The disciplinary process should
ensure that employees suspected of
committing any security breach are treated
correctly and fairly.
 Disciplinary Process

To assure due process, use a disciplinary
process based on this checklist (Following
page); it should be adapted by management to
ensure that all actions are in accordance not
only with organization policy but also local
laws and customs.
 Termination or C h a n g e of
Employment

Employees leave jobs or are suspended for
various reasons and under voluntary or
involuntary circumstances. Voluntary
circumstances include study leave, vacations,
family, or personal matters. Involuntary
circumstances include dismissal, death, or
medical incapacity.
 Termination or C h a n g e of
Employment

Organizations should establish policy and
procedures for secure offboarding by defining
actions to be taken to handle absence and
departure. The actions should include
temporary or permanent closing of accounts,
steps for forwarding e-mails, change of critical
passwords and phone numbers, and disabling
access to all systems.
Topic 5: Accreditation
 Accreditation

Refers to the formal process of assessing and certifying that
an organization's information systems and processes meet
certain security standards and compliance requirements.
The Information Assurance Planning Process involves a
series of steps and activities aimed at ensuring the
confidentiality, integrity, and availability of an organization's
information assets.
 Accreditation

1. Preparation and Planning: This process includes identifying the
information systems and assets to be accredited, understanding the
relevant security requirements, and establishing an accreditation team.
2. System Security Plan (SSP) Development: The SSP outlines the system's
security requirements, policies, procedures, and controls. It serves as a
foundational document for the accreditation process.
 Accreditation

1. Risk Assessment: Organizations perform a comprehensive risk
assessment to identify potential threats, vulnerabilities, and risks
associated with the information systems. This assessment helps in
determining the appropriate security controls and countermeasures.
2. Security Controls Implementation: Based on the SSP and risk
assessment, the organization implements the necessary security controls
to mitigate identified risks and meet security requirements. This may
involve the deployment of technical safeguards, security policies, and
employee training.
 Accreditation

1. Security Testing and Evaluation: The organization conducts security
testing and evaluation to assess the effectiveness of the implemented
security controls. This may include vulnerability scanning, penetration
testing, and other security assessments.Security Controls
2. Documentation: Detailed documentation of all security-related activities,
including security control implementation, testing results, and incident
response procedures, is essential for the accreditation process.
 Accreditation

1. Accreditation Package Preparation: The accreditation team compiles all
relevant documentation and evidence into an accreditation package. This
package is submitted to the accrediting authority for review.

1. Accrediting Authority Review: The accrediting authority, often a
designated security or compliance officer within the organization or a
regulatory body, reviews the accreditation package. They assess whether
the security controls are effectively mitigating risks and whether the
organization is in compliance with applicable standards and regulations.
 Accreditation

1. Accreditation Decision: This decision can be to accredit the system (grant
authorization to operate), deny accreditation, or require further
remediation and reevaluation.Accrediting Authority Review:

2. Continuous Monitoring: Organization must maintain continuous
monitoring and oversight of the accredited systems. This includes ongoing
security assessments, incident response, and periodic reviews to ensure
compliance with security requirements.
 Accreditation

1.Reaccreditation: Accreditation is not a one-time process. Periodically, the
organization must undergo reaccreditation to ensure that the security
controls remain effective and that the system remains compliant with
evolving security standards and regulations.
 Topic 6:
Approaches to Implementing
Information Assurance
Two Approaches to Implementing
Information Assurance

1. The Bottom-up Approach

2. The Top-down Approach
 The Bottom-u p Approach

-places the responsibility of successful information security
on a single staff member or security department
 The Top-d o w n Approach

-starts with upper management and top-level managers are
the ones responsible for initiating, creating, and implementing
your data protection strategy
 Advantages
The Bottom-up Approach The Top Down Approach

uses a person or team's experience and has more efficacy because it makes data
expertise to handle intricate security protection a company-wide priority
concerns instead of placing all the responsibility on
one person or team
you may be able to assign the task to an
incorporates more available resources
existing employee with the appropriate
and a clearer overview of the company's
background instead of hiring someone new
assets and concerns
 Disadvantages
The Bottom-up Approach The Top Down approach

it doesn't involve assistance or input requires good leaders who are committed
from top-level management to prioritizing information security

infosec program won't have the same you must ensure management has
thoroughness that it would have if you enough time and resources to implement,
were incorporating information and monitor, and maintain new policies while
directives from the top creating an infosec plan
Topic 7: Organizational Structure for
Managing Information Assurance
Structure o f a n I n f o r m a t i o n
Assurance O r g a n i z a t i o n

Centralized Distributed
Structure Structure

Hybrid Structure
Structure o f a n I n f o r m a t i o n
Assurance O r g a n i z a t i o n

Centralized structure where an information assurance
management program is managed under a centralized unit
with ultimate accountability and responsibility for the program.
Structure o f a n I n f o r m a t i o n
Assurance O r g a n i z a t i o n

Distributed structure where roles, responsibilities, and
authorities are spread throughout the organization’s business
units, operations areas, and geographical locations
Structure o f a n I n f o r m a t i o n
Assurance O r g a n i z a t i o n

ybrid structure that is a mix of the centralized and
distributed structures

ybrid structure features centralized management of
information assurance with decentralized execution of
security activities.
Senior m a n a g e m e n t
Chief Executive Officer
Chief Risk Officer
Chief Information Officer
Chief Information Security Officer
Chief Security Officer
Accrediting Official
Accrediting Official Liason
I n f o r m a t i o n Assurance Units

Information Assurance Control Assessor
Information Assurance Engineer
Information Assurance Architect
Information System Security Officer
Technology a n d Service Providers

Programmer
Database Administration
Help Desk
System/Network Administrator
Information Systems/ Business Analyst
 S u p p o r t i n g Function
Physical security/facility management/property management
Human resource department/unit
Audit
Legal
Risk Management
Information System Owner
Common Control Provider
 Users

Information Owner/Steward

Types of Users
Users of information User of the systems
Outsourcing a n d
Cloud C o m p u t i n g