Download Security Management and Operations

Information Security Updates
Relationship with
ISMS
Information
Security
Management
System
(ISMS) is defined in the
ISO/IEC 27000 set of
standards. The ISO/IEC
27001 standard sets out a
certifiable
and
measureable
standard
against
which
an
organization can evaluate
its information security
management
program.
ISMS covers a set of
processes following the
life cycle of “Plan-DoCheck-Act” (known as
“PDCA cycle”). ISO/IEC
27002 provides a set of
best practice controls that
can be used to build up an
ISMS.
PDCA Cycle4
Security Management and Operations
ecurity management1 manages
a defined level of security
controls on the risks of
information and IT services.
Security operations refer to the
implementation and execution
of IT services and processes so that a
secured IT environment can be
maintained and managed. Together, they
form an essential framework to protect
information assets of an organization.
S
Security management and operations
should not be viewed as an isolated or
islanded process. In fact, they have
interwoven relationship with other IT
processes. Under ITIL v32, security
management is one of the key processes
categorized under Security Design3. It is
defined as the process that ensures
confidentiality, integrity and availability
(known as “C-I-A triad”) of information
assets and IT services. Besides Security
Design, the processes under Service
Operations are also heavily linked to
security. Security management and
operations should be viewed as an
integral part of all ITIL processes
because information security must be
effectively managed in all services and
service management activities.
This newsletter describes how a
University can design and implement
security management and security
operations according to industry’s best
practices.
Security Management
The word “management” means the act
or skills of planning, leading, controlling
and making decisions on achieving
targeted goals. Likewise, security
management is about controlling and
making decisions on security matters. On
the contrary, many organizations and
security personnel are constantly
firefighting with problems and incidents.
Instead of controlling security matters,
they are being “controlled” by the fuss
from their daily chores.
Good security management should at
least
include
the
elements
of
understanding the risk exposure of an
organization,
building
a
sound
governance to manage security, and
monitoring security continuously so as
to assure that protections are in effective.
Risk Assessment
To manage security effectively, an
organization must understand its
security risk posture in the first place.
For example, banks often undergo
hacking intrusions on their online
banking systems. So banks will have to
design and implement sufficient security
protection for their online banking
systems. For Universities, the risk varies.
Those best suits the banks in terms of
security may not be applicable to a
University environment. It will be more
appropriate for a University to go
through
a
comprehensive
risk
assessment exercise which is a process
to identify and evaluate risks, the
potential impact on the University, and
the probabilities that a particular event
will occur. Once security risks are
identified and evaluated, appropriate
security controls and countermeasures
Examples –
Security Governance
There are many ways of
raising IT security policy
awareness. Examples
include:
 Design appropriate
banners and posters
and place in
conspicuous area
 Display awareness
messages in logon
banners and screen
savers
 Post articles and
written materials
regularly on the
internal information
security web portal
 Include an awareness
session on information
security during new
employee orientation
training
 Broadcast through
email reminders
 Use social media
platform such as
yammer to spread
awareness
Assurance
“If you can’t measure it,
you can’t manage it.”
-- Peter Drucker,
The management of guru
Similarly, security can be
better managed if a set of
metrics can be developed
and adopted for
measurement.
can then be determined to effectively
manage perceived risks.
Security Governance
One of the weakest doorkeepers of
security is people. If users do not know
how to practice safe computing,
malicious software can be dropped onto
their end points insensibly. If there is no
baseline for IT department personnel to
follow when configuring network
infrastructure
and
developing
applications, vulnerabilities can be
introduced
luring
attackers
to
compromise the systems.
In order to manage security effectively,
Universities are advised to develop and
enforce a set of security policies,
standards
and
guidelines.
These
documents will outline the management
directives and security requirements on
how to protect confidentiality, integrity
and availability of critical information
assets.
The successful roll-out of security
governance hinges on the effective
coordination and communication of the
varied stakeholders during development,
implementation, gap analysis and
regular review of the policies, standard
and
guidelines.
Therefore,
clear
segregation of responsibility and
organizational roles should be defined to
properly
administer
information
security. Beyond that awareness training
and education promotion are also
essential, so that the University
community can always be reminded to
read, understand and follow the
established policies, standards and
guidelines.
Assurance
Security solutions should be designed
with two focus areas: functional and
assurance requirements. Functional
requirements refer to the aspects of a
solution such as features and capabilities
of a firewall. It is common that IT
personnel will focus on the functions but
ignore assurance requirements which
are about verifying that security
solutions are selected and implemented
as intended.
Assurance can include the following
activities:
1. Execute monitoring and reviewing
on procedures and other supplementary
controls to:
 Promptly identify attempted and
successful security breaches and
incidents;
 Give management direct vision that
whether the security activities
delegated to people or implemented
are performed as expected;
 Help detect security events and
thereby prevent security incidents
by the use of indicators; and
 Determine whether the actions taken
to resolve a breach of security were
effective.
2. Undertake regular security review
and vulnerability assessment to assess
risks and effectiveness of implemented
controls.
3. Measure the effectiveness of
controls to verify that security
requirements have been met.
4. Update security policy on a regular
basis and take into account the
observations during monitoring and
reviewing activities.
Universities can start off by defining
service level agreements which cover
security management requirements such
"...it is not the strongest of
the species that survives,
nor the most intelligent; it
is the one that is the most
adaptable to change.”
--Charles Darwin
Change management
comes in plenty of forms5.
 If the change request is
for a routine change,
the routine change
workflow needs to take
place which may not
require
extra
approvals.
 If the change request is
for a comprehensive or
emergency
change,
approval needs to be
obtained from change
advisory board (CAB)
before going through
the emergency change
workflow.
 If the change request is
for a comprehensive or
emergency
change
with high risks, extra
special approval needs
to be addressed. for
example, if the change
request will trigger
service downtime and
possibly financial loss
to the company, CFO
needs to be involved in
the approval flow.
as availability. Other measurement
figures such as the number of security
incidents, percentage of machines with
latest malware signature updates,
percentage of servers with latest patches
updated can be calculated.
Security Operations
Security operations, as the name implies,
refer to operational practice for dealing
with security matters. A set of
operational
manuals
are
setup
accordingly as baselines for security
professionals to follow during their daily
operational tasks. “Service Operation” as
defined in ITIL v3 refers to the
operational processes to make sure that
IT services are delivered effectively and
efficiently. Similarly, security operations
is to discipline the operational processes
to a defined security level and tackle the
risk exposures identified in between.
Change Management
Organizations
encounter
change
requests frequently on its IT services.
Change management is a systematic
approach for managing the security risks
underlying each change.
Change
advisory board (CAB) should be
established involving key stakeholders
to prioritize and approve the change
requests. Both technical and business
perspectives should be evaluated during
change management processes.
A typical change management process is
initiated at the time of a request-forchange (RFC) creation. CAB then reviews
the RFC and assesses the risks whilst
testing and validation of the changes (i.e.
technical review) are required in parallel
sometimes to point out what adverse
impacts would be triggered. If system
downtime or other business critical
issues
could
possibly
happen,
contingency such as backup plan is
required to restore the business within a
tolerable timeframe. Since the success of
change implementation cannot be
foreseen, having a fall back plan is
always a wise choice. Once the RFC is
approved, changes will be implemented
and the change management process
ends when post-implementation review
has been completed.
Credential Management
Access controls to an organization’s
applications and networks rely upon the
authorization and authentication of
users.
Validation of credential is
essential to truly identify an individual.
Compromised credentials, particularly
those with high privileges, allow
attackers to behave as an insider to
compromise system. Organization like
University community is acquiring
incremental users while new students
enroll. Hence the University should seek
for a solution to tackle the emerging
risks brought by credential management.
The University should design and
implement an appropriate credential
management process to manage the
passwords, keys and certificates and
keep track of the status such as
password
change,
certification
expiration and renewal to ensure the
effective operations.
Security
Incident
Management
and
Event
Security
Information
and
Event
Management (SIEM) monitors and
analyzes the traffic of network and
applications. SIEM services can be
provided by either software tool or
appliances, and even managed services.
Case Study –
Incident Management7
At the University of Oviedo,
there are 30,000 people
across
four
campuses:
Oviedo, Gijón, Avilés and
Mieres. Incident management
is performed at two action
levels: institution level and
education centre level. At
institution level is the User
Care Centre (UCC). It sorts
out IT problems for the
academic and administrative
communities as a whole.
There is an automated IT
incident management tool
(XPERTA), as well as an
institutional website for
support. At education centre
level, which can be a specific
faculty, the service provides
lecturers and students with
assistance
for
incidents
arising from teaching-related
activities.
By monitoring the real-time data, SIEM
can correlate security events with preset rules and generate alert for threats or
incidents. In addition, it can generate
incident reports and compliance reports
for
efficient
security
operation
management.
Umbrella View of SIEM6
Incident Management
The purpose of incident management is
to restore business within tolerable
service interruption and to minimize the
business impact incurred so as that
service availability can be maintained.
Incident management can include the
following activities:
 Detect and log incident based on
service interruption or server and
system alerts;
 Categorize the incident according to
predefined priority levels and take
corresponding escalation procedures;
 Investigate the incident and analyze
the root cause (for example, the
service interruption is caused by
malware affection);
 Resolve the problem and recover the
business operation;
 Close the incident case after service
resumption; and
 Review the incidents and update the
incident handling processes to the
continuous service operation.
The Incident Handling Process
Besides implementing, periodic incident
management
training
should
be
provided to operation personnel.
Security Device Management
Security devices include routers,
firewalls, Intrusion Detection System
(IDS), Intrusion Protection System (IPS)
and other devices which are deployed as
security measures to protect from
security
threats.
Security
device
management refers to monitoring and
maintaining security devices. Patches
and updates are critical to maintain the
currency of the security devices against
latest threats, where applicable, security
rulesets and signature updates should be
applied for detecting and preventing
threats.
In addition to prevailing security devices,
leading security vendors are launching
new security devices and modules on
discovering cyber threats and malware
attacks in zero-day.
Separation of Duties9
Segregation of duties is
critical
to
effective
internal control; it reduces
the risk of both erroneous
and inappropriate actions.
Specific
examples
of
segregation of duties are
as follows:
 The
person
who
requisitions the purchase
of goods or services
should not be the person
who
approves
the
purchase.
 The person who approves
the purchase of goods or
services should not be the
person who reconciles the
monthly financial reports.
 The person who approves
the purchase of goods or
services should not be
able to obtain custody of
checks.
 The
person
who
maintains and reconciles
the accounting records
should not be able to
obtain custody of checks.
Segregation of duties is a
deterrent to fraud because
it requires collusion with
another
person
to
perpetrate a fraudulent
act.
Threat and Vulnerability Management
Threat and vulnerability management
provides a proactive approach for an
organization to mitigate the risks
presence. It is driven by the business
initiatives to assess the potential critical
impacts and the likelihood of threats
occurrence. A threat and vulnerability
management program include three key
elements8:
 Asset Inventory (where information
resides)
 Threat and Vulnerability Analysis
(identify threats and analyze the
likelihood of impact, a threat level
should be assigned)
 Vulnerability
Management
(use
countermeasures and mitigation
controls to lower the risk posed by
threats and vulnerabilities identified)
For
organizations,
threat
and
vulnerability management facilitates the
risk mitigation in security operations. By
adopting a risk-based approach, threats
and vulnerabilities should be identified
and the likelihood of impact should be
analyzed. Tools can be utilized to assist
threat and vulnerability management.
For universities, a pragmatic threat and
vulnerability management program
should be developed and periodic
vulnerability assessments should be
performed to eliminate the security
threats.
Reminder about Separation of Duties
For the sake of avoiding conflict of
interest
in
security
operations,
separation of duties defines clear roles
and responsibilities among different
individuals. It also proves to be an
effective way to prevent fraud and error.
How do universities know how well they
are performing? Key performance index
Key Performance Index
(KPI) is quantifiable measurement to
reflect the success of an activity (e.g.
security management and operations).
To determine the efficiency and
effectiveness of security management
and operations, examples of KPI include
the following:
 Business protected against security
violations, such as decrease in
security breaches and incidents;
 Increase in the acceptance and
conformance of security policy and
process in meeting with the business
objectives;
 Increase in support and commitment
of senior management on security
management
and
operations
procedures;
 An effective mechanism for improving
the security policies and controls;
 Increase in staff awareness of security
knowledge and best practices; and
 Improvement on service levels
performed by IT Service Desk.
Conclusion
Security management and operations are
integral components in achieving
business
excellence.
Security
Management evaluates and manages
corporate risks in terms of Information
Security. Security Operations provides
detection, investigation and remediation
on IT threats, cyber intrusions and
incidents.
Universities should make a great effort
in adopting security best practices to
tackle the threats undergone in daily
operations.
References
1. We are actually referring to information security management. For simplicity sake, the term “security management”
is used throughout this newsletter.
2. A set of Best Practice guidance for IT Service Management. ITIL is owned by the Office of Government Commerce in
UK. It consists of a series of publications giving guidance on the provision of quality IT services, and on the processes
and facilities needed to support them. Please refer to http://www.itil.co.uk for more information.
3. ITIL v3 defines 5 core components - Service Strategy, Service Design, Service Transition, Service Operation and
Continual Service Improvement.
4. "Taking the First Step with PDCA" 2 February 2009.
5. "Case Study – Advanced Approval Workflow. " 26 August 2014.
6. "JOnline: Log Management: A Pragmatic Approach to PCI DSS - ISACA" By Prakhar Srivastava and Tarun Verma
7. "Information Technology Incident Management: A Case Study of the University of Oviedo and the Faculty of Teacher
Training and Education" July 2012.
8. "Key Elements of a Threat and Vulnerability Management Program" By John P. Pironti, 2006.
9. "SEGREGATION OF DUTIES (PREVENTIVE & DETECTIVE) – UCLA Corporate Financial Services"
Copyright Statement
All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright
and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in
any manner, without the prior written consent of the copyright holder, is a violation of copyright law.
A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals
must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others,
whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright
holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this
document are listed below:
[email protected]
Joint Universities Computer Centre Limited (JUCC)
c/o Information Technology Services
The University of Hong Kong
Pokfulam Road, Hong Kong