Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Unix security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Information privacy law wikipedia , lookup
Medical privacy wikipedia , lookup
Computer security wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Policy, Regulation, and Ethics Policy Regulation Systems and procedures must meet policy requirements. Organizations must comply with requirements of the laws to which it is subject. Ethics Organizations may choose to generate desired ethical behavior. How Security, Regulation, and Ethics Are Related? All three complement each other. A minimum is defined by regulatory requirements. Policies help ensure that these requirements and met and in fact, more is done where it is deemed appropriate and cost effective. Promotion of ethical behavior is likely to generate desired behavior, aligned with meeting regulatory requirements and honoring policies. Environment where ethical behavior is stressed could foster a sense of duty. People may tend to do the right thing, beyond the law and policies. Organization and Accountability Organization structure should ideally represent accountability consistent with roles of personnel. Accountability for information security is typically assigned to information security director who may report to CEO or CIO or Other top level executive This role must be managed in a multidisciplinary context because issues of information security are multidisciplinary. Security Policies Policy: A high level document independent of all functions, roles, powers, and personalities. Security policy: A formal statement of the rules by which people who are given access to organization’s technology and information assets must abide. Standards: Tend to enforce and tried and tested practices. Procedures: Describe, where necessary, specific ways of securing information assets. Guidelines: Provide examples and interpretation of the policy and related standards to facilitate policy implementation. Purposes of a Security Policy Informs users, staff, and managers of obligations concerning protection of information technology and assets. Provides a baseline to provide assurance for compliance with the policy. Provides a basis for determine what security tools to use to adequately protect information assets. Characteristics of a Policy Tenure: Generally, a policy should have a long tenure, during which it may not change much. Requisite variety: Each policy must have requisite variety. All anticipated requirements to provide control must be addressed in a policy. Feasibility: Policies must go through the test if feasibility. Understandability: Policy must be written so that it is easy to understand. Balance: Policy must balance the need for security with functionality and usability of information systems. Content Areas of an Information Security Policy Purpose Scope Policy Definitions Responsibilities Administration and interpretations Amendments/termination of the policy References to applicable policies and standards Exceptions Violations/enforcement Area Description of content within the area Purpose Narrates why this policy is written and how it will benefit the organization. Scope To whom does the policy apply is clarified in this area. Policy This is the core of policy – the statement(s) that describe the policy. Definitions If the policy includes certain terms, these are defined in this area. This allows for a very specific interpretation of the policy, irrespective of how these terms are used in the profession. Responsibilities Identifies who is responsible for enforcement of the policy. If more than one party is responsible, a clear identification of responsibility of each party with respect to the policy enforcement should be included. Administration and interpretations Identifies who is responsible to answer questions regarding this policy, to maintain records regarding the policy issues and how they were resolved, and to document violations of the policy and their resoluton. Amendments/Termination of the policy This part states that (1) the organization reserves the right to modify, amend or terminate the policy at any time and (2) the policy does not constitute a contract between the organization and its employees. References to applicable standards This section lists policies related to the policy. Exceptions Here, the policy identifies how to request an exception to the policy, what information should the request provide, and to whom it should be addressed. Typically, all exception requests are handled in accordance with an information security exception policy. Violations/Enforcement Specifies where to report any know violations of the policy, and what consequences could result from such violations. For example, consequences may result in immediate suspension of user privileges, a disciplinary action, or reporting the case to appropriate law enforcement agencies. Classification of Policies Various alternative classifications are possible. Information security policies may be categorized: Using components of an information system. In terms of physical security and logical security. As system specific or issue specific. Policy Development Process The process must mirror risk management processes. Identify critical information systems processes and assets. Understand what risks each information asset faces. Identify the asset’s vulnerabilities and anticipate types of threat the asset might be subject to. Identify control and security measures to protect the information asset. Develop a policy that provide cost effective protection measures. Periodically, review the policy in light of changes in the organization and its environment. Regulatory Requirements Regulations exist in the area of information assets protection, and must be met. Such regulations typically define the threshold needs to protect information assets. Compliance of such requirements provides an assurance that the entity is meeting needs for protection of information assets at the levels required by law. At the same time, compliance helps the entity protect its information assets and prosecute those who compromise the security. Regulatory Requirements and Security Objectives Information assets protection Authentication Integrity of logic Integrity of communication Confidentiality and privacy System availability Computer crimes Objectives, vulnerabilities, and regulation Selected Vulnerabilities Illustrative regulatory requirements Information assets protection Theft Software piracy Computer Software Copyright Act of 1980 Digital Millenium Copyright Act (1998) Authentication Impersonation Spoofing Session hijacking Man-in-the-middle attack Electronic signature legislation Digital signature laws Integrity of logic (programs) Malicious code Buffer overflow Uniform Commercial Code Integrity of communication Website defacement Active wiretap Falsification of message The Electronic Communications Privacy Act of 1986 Confidentiality and privacy Eavesdropping Passive wiretap Right to Financial Privacy Act of 1978 The Gramm-Leach-Bliley Act (1999) Children’s Online Privacy Prevention Act [COPPA] (1998) Security objective Health Insurance Portability and Accountability Act [HIPAA] (1996) System availability Connection flooding Denial of Service (DNS) attack Distributed Denial of Service Computer Fraud and Abuse Act (1984, 1986, 1996) Policy, Regulation, and Ethics Policy Regulation Systems and procedures must meet policy requirements. Organizations must comply with requirements of the laws to which it is subject. Ethics Organizations may choose to generate desired ethical behavior. How Security, Regulation, and Ethics Are Related? All three complement each other. A minimum is defined by regulatory requirements. Policies help ensure that these requirements and met and in fact, more is done where it is deemed appropriate and cost effective. Promotion of ethical behavior is likely to generate desired behavior, aligned with meeting regulatory requirements and honoring policies. Environment where ethical behavior is stressed could foster a sense of duty. People may tend to do the right thing, beyond the law and policies. Organization and Accountability Organization structure should ideally represent accountability consistent with roles of personnel. Accountability for information security is typically assigned to information security director who may report to CEO or CIO or Other top level executive This role must be managed in a multidisciplinary context because issues of information security are multidisciplinary. Security Policies Policy: A high level document independent of all functions, roles, powers, and personalities. Security policy: A formal statement of the rules by which people who are given access to organization’s technology and information assets must abide. Standards: Tend to enforce and tried and tested practices. Procedures: Describe, where necessary, specific ways of securing information assets. Guidelines: Provide examples and interpretation of the policy and related standards to facilitate policy implementation. Purposes of a Security Policy Informs users, staff, and managers of obligations concerning protection of information technology and assets. Provides a baseline to provide assurance for compliance with the policy. Provides a basis for determine what security tools to use to adequately protect information assets. Characteristics of a Policy Tenure: Generally, a policy should have a long tenure, during which it may not change much. Requisite variety: Each policy must have requisite variety. All anticipated requirements to provide control must be addressed in a policy. Feasibility: Policies must go through the test if feasibility. Understandability: Policy must be written so that it is easy to understand. Balance: Policy must balance the need for security with functionality and usability of information systems. Content Areas of an Information Security Policy Purpose Scope Policy Definitions Responsibilities Administration and interpretations Amendments/termination of the policy References to applicable policies and standards Exceptions Violations/enforcement Area Description of content within the area Purpose Narrates why this policy is written and how it will benefit the organization. Scope To whom does the policy apply is clarified in this area. Policy This is the core of policy – the statement(s) that describe the policy. Definitions If the policy includes certain terms, these are defined in this area. This allows for a very specific interpretation of the policy, irrespective of how these terms are used in the profession. Responsibilities Identifies who is responsible for enforcement of the policy. If more than one party is responsible, a clear identification of responsibility of each party with respect to the policy enforcement should be included. Administration and interpretations Identifies who is responsible to answer questions regarding this policy, to maintain records regarding the policy issues and how they were resolved, and to document violations of the policy and their resoluton. Amendments/Termination of the policy This part states that (1) the organization reserves the right to modify, amend or terminate the policy at any time and (2) the policy does not constitute a contract between the organization and its employees. References to applicable standards This section lists policies related to the policy. Exceptions Here, the policy identifies how to request an exception to the policy, what information should the request provide, and to whom it should be addressed. Typically, all exception requests are handled in accordance with an information security exception policy. Violations/Enforcement Specifies where to report any know violations of the policy, and what consequences could result from such violations. For example, consequences may result in immediate suspension of user privileges, a disciplinary action, or reporting the case to appropriate law enforcement agencies. Classification of Policies Various alternative classifications are possible. Information security policies may be categorized: Using components of an information system. In terms of physical security and logical security. As system specific or issue specific. Policy Development Process The process must mirror risk management processes. Identify critical information systems processes and assets. Understand what risks each information asset faces. Identify the asset’s vulnerabilities and anticipate types of threat the asset might be subject to. Identify control and security measures to protect the information asset. Develop a policy that provide cost effective protection measures. Periodically, review the policy in light of changes in the organization and its environment. Regulatory Requirements Regulations exist in the area of information assets protection, and must be met. Such regulations typically define the threshold needs to protect information assets. Compliance of such requirements provides an assurance that the entity is meeting needs for protection of information assets at the levels required by law. At the same time, compliance helps the entity protect its information assets and prosecute those who compromise the security. Regulatory Requirements and Security Objectives Information assets protection Authentication Integrity of logic Integrity of communication Confidentiality and privacy System availability Computer crimes Ethical Behaviour in Organizations Ethics: The principles of conduct individuals and groups use in making and implementing choices. Principles of moral conduct are the foundation for ethical behavior. Ethical behavior may have implications for information security. Business Ethics An organization is a group of individuals with shared values and goals. Business as an organization should deserve its place within the society. Organizational legitimacy is a result of the degree of congruence between social values associated with or implied by the firm’s activities and the norms of acceptable behavior in the larger social system to which they belong. Individuals as employees should ask questions concerning consequences of an action, serving others’ rights, consistency of decisions with basic values, and feasibility of their actions in the world as it is. Developing Information Management Policies Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement ePolicies typically include: Ethical computer use policy Information privacy policy Acceptable use policy E-mail privacy policy Internet use policy Anti-spam policy ETHICAL COMPUTER USE POLICY Ethical computer use policy – contains general principles to guide computer user behavior The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules ETHICAL COMPUTER USE POLICY INFORMATION PRIVACY POLICY The unethical use of information typically occurs “unintentionally” when it is used for new purposes For example, social insurance numbers started as a way to identify government retirement benefits and are now used as a sort of universal personal ID Information privacy policy - contains general principles regarding information privacy INFORMATION PRIVACY POLICY Information privacy policy guidelines 1. 2. 3. 4. 5. Adoption and implementation of a privacy policy Notice and disclosure Choice and consent Information security Information quality and access ACCEPTABLE USE POLICY Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet An AUP usually contains a nonrepudiation clause Nonrepudiation – a contractual stipulation to ensure that e-business participants do not deny (repudiate) their online actions ACCEPTABLE USE POLICY E-MAIL PRIVACY POLICY Organizations can mitigate the risks of e-mail and instant messaging communication tools by implementing and adhering to an e-mail privacy policy E-mail privacy policy – details the extent to which e-mail messages may be read by others E-MAIL PRIVACY POLICY E-MAIL PRIVACY POLICY INTERNET USE POLICY Internet use policy – contains general principles to guide the proper use of the Internet MONITORING TECHNOLOGIES Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed Key logger or key trapper software Hardware key logger Cookie Adware Spyware Web log Clickstream EMPLOYEE MONITORING POLICIES Employee monitoring policies – explicitly state how, when, and where the company monitors its employees Assurance Considerations Policy development, implementation, and enforcement Is the policy current? Is it enforced? Are violations and exceptions to the policy tracked and reported? Who acts on such violations? Are such actions proper? Overall, is the policy effective? Compliance with regulations Is an integrated approach used, where legal, technological and operational aspects are considered together? Or is the compliance a patch work? Who is responsible for compliance? Are the compliance solutions documented? Are changes in the regulatory requirements monitored? Is the whistle-blower system effective? Ethical behavior Does the organization have a code of conduct? What structure is in place to nurture ethical behavior in the organization? Who is accountable for promoting organization-wide ethical conduct? What programs are in place to achieve the objective? Are they effective? Where are MOST of the Continuity Challenges ?? CONTINUITY ISSUES Catastrophic Interruptions Minor Interruptions Everyday Blips Process Dysfunctions BCARE SOLUTIONS Continuity Availability Reliability Engineering 42 Physical Access Security Establishing Perimeters Implementing and Maintaining a System, Equipment, Procedures Defensive Depth, Universal Application Monitoring / Detection / Response Common Intrusion Techniques 43 What is a Perimeter? Controlled border • • • External: Public / First Level. May be outside of building. Second: Building Access. May include elevators and stairways. Multiple interior: authorization related to functionbased “need to know” 44 Systems, Equipment, Procedures System components: hardware, software, devices, data, personnel (operators and staff) Equipment: readers, tokens, cameras and video recorders, screen monitors, barriers (turnstiles, man-traps) Procedures: operator, equipment maintenance, log review, token issuance, authorization maintenance. System upgrading. Guards. 45 Defensive Depth Multiple barriers to breach: make an intruder work harder Multiple levels, multiple techniques Multiple levels of monitoring and detection Introduce random supplemental checks 46 Universal Application Every time Every person Every control point Weekdays, nights and weekends Especially no “official piggybacking” Why: keeps the “bright line” between authorized and unauthorized 47 Monitoring/Detection/Respons e Monitoring: what conditions, when Detection: manual, automatic, alarms; who is notified? Response: √ √ √ Who, what, when How contacted Logistics and SLA Failure in any area “breaks the chain” of response 48 Common Intrusion Techniques “Piggy-backing” Poor housekeeping of access privileges • • Terminated employees Transferred employees “I have a delivery for Mr./Ms. X.” Concealment within interior protected areas Exploitation of known system flaws 49 WHAT YOU ALREADY KNOW Good Things: • Card readers and physical access control systems • Cameras • Locked doors Bad Things: • Piggybacking • Easy-to-guess passwords • Asleep at the console No need to hear that again 50 WHAT YOU MAY NOT KNOW... Facilities & Security co-dependencies How they affect the enterprise risk picture How formal risk assessment techniques developed for other industries are emerging as tools to reduce critical facilities risks How all this relates to BCP/DR …UNTIL NOW 51 SO WHAT? WHO CARES? Poor Facilities/Security/IT/BCP coordination = Wasted resources Risk picture not fully understood Risks not fully addressed CEOs, CFOs, CIOs, CHAIRMEN AND DIRECTORS CARE ABOUT THESE THINGS... ...AND SO DO REGULATORS 52 Copyright 2004 Strategic Facilities Inc. All rights reserved SECURITY & FACILITIES SECURITY NEEDS FACILITIES Surveillance & Access Control need power Cameras need light Guard force needs decent environment just like everyone else FACILITIES NEEDS SECURITY Extra eyes and ears to for building problems Help screen visiting technicians Reduce tampering with building systems 53 RELIABILITY RELIABILITY • What is the probability that a system will • • • • operate correctly? Over what mission time? Severity of failure is part of the risk conversation, not the reliability conversation Duration of failure is also a separate variable Duration is also part of the risk conversation and also NOT part of the reliability conversation 54 MORE RELIABILITY Can be expressed as Mean Time To Failure (MTTF) MTTF is OK, but lacks mission time context Probability of success over mission time does a better job of depicting the situation Probability of failure = 1 - (Probability of success) Duration of failure known as Mean Time To Restore, or MTTR Probability of success or failure of an individual system does not depend on MTTR 55 AVAILABILITY • • • • Different concept entirely Comparison of MTTF & MTTR Mathematically: MTTF / (MTTF + MTTR) Grossly misused throughout industry in the form of “nines”; usually, MTTF >> MTTR • Misuse due to two-dimensional nature • Does not mean that MTTR and Availability do not matter 56 AVAILABILITY - IT DEPENDS 57 RELIABILITY VS. AVAILABILITY System “A” 1 failure; end of year 9 Down entire year 10 Reliability: MTTF = 9 yrs; only 1 sample Availability: 90 % More reliable (?), less available Less certain System “B” 4 failures, avg. 1/2.5 yrs Down 5 min each time Reliability: MTTF = 2.5 yrs, 4 samples Availability: 99.996 % More available, less reliable More certain 58 HOW SYSTEMS FAIL • Independently due to internal, local failure • Due to a “common cause” effect; that is, something that affects entire system at once • Natural or man-made disaster, for example; tend to be high severity, low frequency • Human error is most frequent commoncause failure mode; often less severe than disasters Applies to Facilities, Security, IT, BCP 59 CASE #1 - WHO CAN GO INTO THE DATA CENTER Client is a hedge fund; they develop and use proprietary applications to execute trades. Frequent hacker target; security is tight. Big battle over who has access to data center. Facilities team is responsible for power and cooling in there! Facilities team members are not employees: Should they be allowed in? 60 CASE #1 - WHO CAN GO INTO THE DATA CENTER Result for Case #1: Debate spurred client to grow in-house staff and reduce presence of non-employees while expanding the ability to grant and track physical access privileges. 61 CASE #2 - OPERATOR TRAINING FOR NEW SITE Client was considering building a new facility specifically designed as a data center. Limited pool of building engineers to transfer to new facility; mostly air conditioning guys. Client is late in recognizing problem and planning for commencing operations. How should the client prepare to operate and how much should they spend to do it? 62 CASE #2 - OPERATOR TRAINING FOR NEW SITE Result for Case #2: Client saw the folly of spending $25 million on a new site and risking outage due to human error; instead implemented a full program of procedure writing and training to reduce errors. 63 CASE #3 - WHO SEES STATUS INFO ON BUILDING SYSTEMS Client agreed to lease space in former co-lo site taken over by landlord. Landlord has never managed critical facilities before. Power and cooling status info goes to NOC via HP OpenView and other means systems. NOC personnel are trained in only IT, not Facilities. Analysis finds AVAILABILITY too low What should the landlord do? 64 CASE #3 - WHO SEES STATUS INFO ON BUILDING SYSTEMS Case #3 Results: Landlord contracted for fast emergency response, added auto-paging capability, and trained NOC staff to relay vital information to qualified responder en route. 65 RECOMMENDATIONS & CONCLUSIONS 1. When confronting a risk, ask yourself: 2. Then, compare this risk to others you face: 3. How often is it likely to occur? How bad will its impact be if it does occur? Is it likely to occur more or less frequently? Is its likely impact more or less severe than others? Apply this approach consistently across IT, Facilities and Security 66 MORE RECOMMENDATIONS & CONCLUSIONS 4. When evaluating a risk reduction measure: 5. What does it require of other sectors - e.g., if it’s a Facilities measure, what do IT and Security need to do to make it work? Who will do those things and how? Same question for Security and IT initiatives Then, look across sectors... What other exposures are out there? Who should address them? 67 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers like Visa, MasterCard and American Express. Requires agent financial institutions and major merchants (over 6 million transactions annually) to have an annual external audit for compliance. Failure to comply can lead to a fine of $500,000. PCI Standards 1.Install and maintain a firewall to protect cardholder data 2. Do not use vendor supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across the Internet PCI Standards 5. Use regularly updated anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business on a need-to-know basis 8. Assign a unique ID to each person with computer access PCI Standards 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security