CHAPTER 7 Information Security Process 93 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. I nformation security is a proactive process to manage risk. Unlike a reactive model in which an organization experiences an incident before taking steps to protect its infor - mation resources, the proactive model takes steps prior to the occurrence of a breach. In the reactive model, the total cost of security is unknown: Total Cost of Security = Cost of the Incident + Cost of Countermeasures Unfortunately, the cost of an incident is unknown until it actually occurs. Since the or - ganization has taken no steps before the incident has occurred, there is no way to know what the cost of an incident might be. Therefore, the risk to the organization is unknown until an incident has occurred. Fortunately, organizations can reduce the cost of information security. Proper planning and risk management will drastically reduce, if not eliminate, the cost of an incident. If the organization had taken the proper steps before the incident occurred, and the incident were prevented, the cost would have been: Cost of Information Security = Cost of Countermeasures Note also that Cost of the Incident + Cost of Countermeasures >> Cost of Countermeasures Taking the proper steps before an incident occurs is a proactive approach to infor- mation security. In this case, the organization identifies its vulnerabilities and deter- mines the risk to the organization if an incident were to occur. The organization can now choose countermeasures that are cost-effective. This is the first step in the process of information security. The process of information security (see Figure 7-1) is a continual process comprised of five key phases: ▼ Assessment ■ Policy ■ Implementation ■ Training ▲ Audit Individually, each phase does bring value to an organization; however, only when taken together will they provide the foundation upon which an organization can effec - tively manage the risk of an information security incident. 94 Network Security: A Beginner’s Guide Chapter 7: Information Security Process 95 ASSESSMENT The information security process begins with an assessment. An assessment answers the basic questions of “Where are we?” and “Where are we going?” An assessment is used to determine the value of the information assets of an organization, the size of the threats to and vulnerabilities of that information, and the importance of the overall risk to the orga- nization. This is important simply because without knowing the current state of the risk to an organization’s information assets, it is impossible for you to effectively implement a proper security program to protect those assets. This is accomplished by following the risk management approach. Once the risk has been identified and quantified, you can select cost-effective countermeasures to mitigate that risk. The goals of an information security assessment are as follows: ▼ To determine the value of the information assets ■ To determine the threats to the confidentiality, integrity, availability, and/or accountability of those assets ■ To determine the existing vulnerabilities inherent in the current practices of the organization ■ To identify the risks posed to the organization with regard to information assets ■ To recommend changes to current practice that reduce the risks to an acceptable level ▲ To provide a foundation on which to build an appropriate security plan Figure 7-1. The process of information security 96 Network Security: A Beginner’s Guide These goals do not change with the type of assessment performed by the organiza - tion. However, the extent to which each goal is met will depend on the scope of the work. There are five general types of assessments: ▼ System-Level Vulnerability Assessment Computer systems are examined for known vulnerabilities and elementary policy compliance. ■ Network-Level Risk Assessment The entire computer network and information infrastructure of the organization is assessed for risk areas. ■ Organization-Wide Risk Assessment The entire organization is analyzed to identify direct threats to its information assets. Vulnerabilities are identified throughout the organization in the handling of information. All forms of information are examined including electronic and physical. ■ Audit Specific policies are examined and the organization’s compliance with them is reviewed. ▲ Penetration Test The organization’s ability to respond to a simulated intrusion is examined. This type of assessment is performed only against organizations with mature security programs. For this discussion, we will assume that audits and penetration tests will be covered during the audit phase of the process. Both of these types of assessments imply some pre- vious understanding of risks and a previous implementation of security practices and risk management. Neither type of assessment is appropriate when an organization is at- tempting to understand the current state of security within the organization. You should make assessments by gathering information from three primary sources: ▼ Employee interviews ■ Document review ▲ Physical inspection Interviews must be with appropriate employees who will provide information on the existing security systems and the way the organization functions. A good mixture of staff and management positions is critical. Interviews should not be adversarial. The inter - viewer should attempt to put the subject at ease by explaining the purpose of the assess - ment and how the subject can assist in protecting the organization’s information assets. Likewise, the subject must be assured that none of the information provided will be at - tributed directly to him or her. You should also review all existing security-relevant policies as well as key configura - tion documents. The examination should not be limited to only those documents that are complete. Documents in draft form should also be examined. The last part of information gathering is a physical inspection of the organization’s fa - cility. If possible, inspect all the organization’s facilities. Chapter 7: Information Security Process 97 When conducting an assessment of an organization, examine the following areas: ▼ The organization’s network ■ The organization’s physical security measures ■ The organization’s existing policies and procedures ■ Precautions the organization has put in place ■ Employee awareness of security issues ■ Employees of the organization ■ The workload of the employees ■ The attitude of the employees ■ Employee adherence to existing policies and procedures ▲ The business of the organization Network The organization’s network normally provides the easiest access points to information and systems. When examining the network, begin with a network diagram and examine each point of connectivity. NOTE: Network diagrams are very often inaccurate or outdated, therefore it is imperative that dia- grams are not the only source of information used to identify critical network components. The locations of servers, desktop systems, Internet access, dial-in access, and connec- tivity to remote sites and other organizations should all be shown. From the network dia- gram and discussions with network administrators, gather the following information: ▼ Types and numbers of systems on the network ■ Operating systems and versions ■ Network topology (switched, routed, bridged, and so on) ■ Internet access points ■ Internet uses ■ Type, number, and versions of any firewalls ■ Dial-in access points ■ Type of remote access ■ Wide area network topology ■ Access points at remote sites . only those documents that are complete. Documents in draft form should also be examined. The last part of information gathering is a physical inspection of the organization’s fa - cility. If possible,