NOTE As the assessment team works with the customer to fill out the OICM, it’s normal for the customer to want to change some things. Remember that this matrix is not static. You could end up changing multiple items several times in the process. The customer should be in control because they understand their business. You’re providing expertise to guide their decision process. You should understand that if your definitions change, you will need to revisit the OICM to see if any of the ratings have changed based on the new definitions. The Customer Perception of the Matrix Often the customer will end up with misconceptions about the matrix and what it’s intended to convey to the target audience.These issues typically arise before the process is complete, so your team will need to reiterate the goal of these activities. Confront these issues as they arise by explaining why the matrix is important to upper management. In putting together the OICM, our goal is to distill the information architec- ture and its impact on the organization into an easy-to-read matrix. We’ve defined the critical pieces of information and prioritized them based on their impact on operations. So now we can understand that the loss of security attributes to these pieces of information can impact the company in varying degrees. If the customer can understand the correlation we have drawn between these things, the matrix should be easy for them to comprehend. www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 107 Figure 3.4 Example Completed: Matrix with High-Water Mark High LowMedium Medium MediumHigh High LowHigh High MediumHigh Customer Information Account Information Employee Information High Watermark Confidentiality Integrity Availability High MediumHigh Corporate Finances Medium LowMedium Research & Development 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 107 One issue that inevitably pops up is the concern that some information types may be construed as being “not important” because they receive a Low rating in some impact attribute categories.This is not, in fact, the truth of the matter. In fact, all information types listed are important to the organization, but the cus- tomer needs to understand which ones have a greater impact on the mission. Another key to the OICM is the distinction drawn between the different types of security required for various information types. Some types may need more protection from an impact attribute than others. Using this thinking, the cus- tomer can better determine where to invest their security budget to ensure the best use of resources. Explaining the Value of Priorities If everything were rated as a High impact on operations, the matrix would pro- vide no value to the customer, because it would not reflect the reality of the situ- ation. In reality, not all information within a company deserves the same level of protection. But like a small child with his toys, customers can be defensive about what is theirs. Priorities provide the mechanism needed to delineate the differ- ence between information that is merely important and that which is critical. Case Study: Organizational Criticality at TOOT The Transit Organization of Operational Trains (TOOT) is under contract to manage 27 percent of all North American train traffic. In this capacity,TOOT schedules, monitors, and enforces the movement of trains from six master control stations (New York, Miami, Mexico City, San Francisco, Seattle, and Toronto). TOOT has contracted with our consulting company to perform a complete NSA IAM-compliant assessment on their organization.They’ve never had an orga- nizational assessment before, so the customer is relatively ignorant of the processes and steps involved.The assessment team leader will need to educate the customer and make sure they really understand the process as the assessment progresses. Our POC is Anne Jackson,TOOT’s CIO. Anne has only been with the orga- nization for about six months. She confides that she believes that many different procedural changes might need to take place before the organization ends up in the headlines. Our team leader decides that Anne will make a great team repre- sentative for the customer on the assessment team. Anne is asked to coordinate a pre-assessment visit in two weeks and is given a list of potential company repre- sentatives who could provide useful input for this initial step. www.syngress.com 108 Chapter 3 • Determining the Organization’s Information Criticality 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 108 We know from our talks with Anne on the phone that the TOOT network is primarily a Windows NT domain network with an IBM AS400 as the primary monitoring server.The team leader decides to bring two technicians from our company. One has experience with Windows security; the other has worked with the AS400 mainframe architecture for years.Together with the team leader, the consulting pre-assessment visit team is ready to go. Two weeks later, our team arrives on site at the TOOT location in New York, where we’ll meet with Anne and her team.The actual meeting room is a boardroom designed for a group of roughly 20 people to sit around a large table and talk. A large whiteboard hangs on a wall at one end of the room, perfect for listing information types. Our meeting has been scheduled for 9:00 A .M. on Monday in the board- room. We meet Anne in her office after checking in at the front desk and receiving our temporary visitor badges. Anne tells us that there should be 11 attendees in the meeting, including those on the assessment team. She says that the attendees should be a collection of individuals from the information tech- nology department that administers the systems for TOOT. TOOT Information Criticality Topics At 8:50 A .M. we enter the boardroom with Anne and prepare for the meeting. The team leader lays out his notes and passes out a presentation for each attendee.The presentation gives the attendees an overview of the IAM assess- ment process and describes what the group will be doing. The rest of the group shows up around 9:00 A.M. At this point, Anne makes some basic introductions between the team and the TOOT employees in the room. It appears that all the key players have arrived, so the team leader begins his presentation. When the presentation is over, he asks for questions and clarifies the process for a few individuals who seem concerned or confused about the assessment. With the basics out of the way, the team leader starts the enumeration of information types by explaining to the group what we’re trying to do now. One of the assessment team members is prepared to take notes on a laptop while the team leader jots down the various information types on the whiteboard.The process starts immediately with the mainframe administrator naming the infor- mation types she deals with on a daily basis. After just a few minutes, the rest of the group chimes in, and we soon have a list of roughly 35 information types.The group goes back over the list, carefully www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 109 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 109 checking for items that don’t really belong. E-mail is removed from the list first, along with the customer database. When all the information types have been fil- tered, corrected, or accepted, there are 22 types on the list. The assessment team leader explains the process of rolling these various information types into a smaller number of broad categories that encompass the information in question.The group works together and categorizes the informa- tion types into eight groups of information that describe all the critical informa- tion within the organization.The eight information types are as follows: ■ Regular freight-tracking information ■ Sensitive freight-tracking information ■ Passenger information ■ Track condition-monitoring information ■ Customer information ■ Employee information ■ Corporate finance information ■ Network and communications information Identifying Impact Attributes After listing all the information types, the group takes a break, and some mem- bers of the group are told they’re done.This leaves the assessment team with the senior technology representatives to identify the impact attributes and complete the OICM. When the break is over, this group returns to complete the work. Our team leader explains that the group needs to pick attributes that directly impact the organization and asks for input on legal regulations or requirements that might influence this decision.The group decides to use the basic set of impact attributes: confidentiality, integrity, and availability. It’s decided that these three attributes cover the concerns the organization may have regarding the security of its information. Creating Impact Definitions The group begins working with the definitions that will pinpoint the various impacts that loss of CIA on the various information types has on the organiza- www.syngress.com 110 Chapter 3 • Determining the Organization’s Information Criticality 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 110 tion. Anne decides that it’s best to keep this simple and use the basic High / Medium / Low structure.The rest of the team appears to agree with her. The group ends up with the definitions listed in Table 3.4. Table 3.4 TOOT Impact Definitions High Medium Low Loss of life Financial penalties in Inconvenience to the excess of US$100,000 customer from federal regulatory agencies Severe loss of customer Financial losses in excess Inconvenience to the confidence of US$500,000 passengers Catastrophic financial Inability to actively Loss of customer penalties from federal monitor trains and rail confidence regulatory agencies systems for one hour or less Hostile takeover of Widespread loss of Disruption of our railway railway management customer confidence management system (possible terrorist activities) Financial losses in Loss of reputation excess of US$2 million Inability to actively Legal action by the monitor trains or rail customers systems for more than one hour Creating the Matrix Now that we’ve finished defining the impact attributes, the team can start filling in the OICM.This is where most of the conflict will arise, if it exists. In our case study, however, very little conflict exists, because everyone is on the same sheet of music. Anne has done a great job of pulling everyone together and getting the team focused. The team begins by relating each information type to the impact attributes in question. For starters, the team leader asks the group to begin by considering how the loss of confidentiality of the regular freight information would impact the organization.The team decides what value to put into that box www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 111 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 111 on the matrix by reviewing the definitions they’ve created.After about another hour and a half, the team has filled all the empty blocks in the OICM. By taking the highest rating in each impact attribute column, the team derives the high- water mark and calls it a day.The completed OICM is shown in Figure 3.5. www.syngress.com 112 Chapter 3 • Determining the Organization’s Information Criticality Figure 3.5 TOOT’s Completed OICM Medium LowLow Low LowLow High MediumMedium High HighMedium Reg. Freight Sens. Freight Pass Info. High Watermark Confidentiality Integrity Availability High HighMedium Track Cond. Medium LowLow Cust. Info High HighMedium Net & Comms Medium MediumMedium Finances Low LowMedium Emp. Info 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 112 Summary The process of creating the Organizational Information Criticality Matrix (OICM) is one of the most important within the INFOSEC Assessment Methodology.The OICM provides a basis for everything else in the method- ology and clarifies the intentions and goals of the assessment process for the cus- tomer. Poor execution of this portion of the assessment can result in a much more complex and painful assessment for both the customer and the team. The process of creating the OICM begins with a group of customer repre- sentatives sitting in the same room with the assessment team. From here, the cus- tomer will begin listing all known information types within the company. It’s not important if the list is relatively long, because the next step rolls these individual pieces of information into more general groupings.These groupings make more sense than the individual pieces from an IAM perspective because they give a more general overview of the information types within the company. Because the IAM is a top-down assessment approach, we need to ensure that we start with this more generalized understanding of the customer’s information. Some conflict can arise during this process simply because some information types are inherently considered of lesser importance to the organization than others.The individuals in the room may resent the implication that the informa- tion that they work with is of less importance. It eventually lies at the feet of upper management to clarify the company’s beliefs regarding these issues. When the information types have all been grouped together into fewer groups of similar or relevant information types, we’ll pick the impact attributes to use for the assessment process.The most commonly used impact attributes are confidentiality, integrity, and availability.These three encompass the majority of what information security professionals around the world attempt to focus on. Other attributes, such as nonrepudiation or accountability, can be added.The more impact attributes used during the assessment process, the more complex the impact definitions need to be.This ensures that definitions relate directly back to the attributes we’re measuring against. The standard levels of definitions are High, Medium, and Lows. Although these are the standards, they’re not mandatory and may be substituted with your company’s own metric system. Another example of a potentially useful metric is including a numbering system from 0 to 5, with 0 representing the least impact on the organization.The system your organization ends up using depends on your own business processes and your customer’s desires. www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 113 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 113 The High definition level can be considered something that has a dramatic impact on business operations for the customer.This category is normally reserved for those events that can cause dire harm to the well-being of a com- pany. Some examples include loss of life, complete loss of customer confidence, or the need to file for bankruptcy. The Medium definition level consists of those things that are of significant impact to the organization. Significant is a subjective term that is up to the cus- tomer to define. It could consist of large legal penalties, loss of revenue, and a loss of reputation. Low importance can be thought of along the lines of those things that will have less impact on the organization. For instance, customer inconvenience or the delay of an arrest (for a police organization) could be considered low by the customer. In the end, all these definitions are subjective and depend heavily on the customer’s interpretation. The OICM is a box matrix consisting of columns and rows. We label the columns across the top of the matrix with the names of the impact attributes we’ll be using for the assessment.The rows are labeled along the left edge with the information types that the customer has defined. Next, the assessment team will sit down with the customer and fill in the squares in the box.The process is completed by asking questions such as,“The loss of Integrity for this information type would result in what impact?”This type of activity will fill in the chart based on customer input.The OICM is not a static matrix and could change over the course of the assessment, based on new information or changes in customer opinion. The final result is an OICM that accurately reflects the customer’s opinions regarding the critical information types within the organization, the various levels of impact considered possible for the organization, and the impact attributes that the customer feels are most important to the organization’s mission. Ratings are given by the customer with feedback from the team. www.syngress.com 114 Chapter 3 • Determining the Organization’s Information Criticality 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 114 Best Practices Checklist Never Underestimate the Amount of Time Required to Define Information Criticality  Consider the size of the customer organization.  Consider the politics of the customer organization.  Consider the industry of the customer organization.  Consider the customer understanding of the NSA IAM process. Ensure That the Right People Are Present to Determine Information Criticality  Your customer POC should be an upper management representative.  Network administrators for the customer network should be part of the process.  Systems administrators of the various operating systems should be part of the process.  Administrative or project management personnel should be part of the process, for a business perspective. Work With Your Customer to List the Information Types Within the Organization  Start by brainstorming and listing all the information types the customer can think of.  Remove all the superfluous and nonmission-critical information types from the list.  Remove all the systems or applications from the list.  Roll all the smaller information types into broader groups. www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 115 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 115 Avoid Internal Politics During the Definition Process  Stay objective in the information you offer the customer about security.  Allow the management representative to management conflict and politics.  Try to understand the rationale behind the personal feelings of the people in the room. Q: During the course of defining the OICM, how often do you actually find the process difficult due to internal conflict or personality issues on the cus- tomer’s team? A: There is almost always some sort of conflict during this process.The employees at the customer site usually believe their information or systems are very important to their company’s overall mission. We often hear state- ments such as,“If it weren’t for my information, we couldn’t do this.That would be a huge impact on the company!” Although statements like this are true at some level, it eventually comes down to what the manager believes is the truth.The manager, not the employee, decides the real impact. Q: Is there a limit to the actual number of impact attributes that can be used during the IAM process? A: NSA doesn’t actually define a specific number of impact attributes that should or should not be used during the assessment process.The actual number will depend heavily on customer desires.This is not to say that your input as a paid information security expert shouldn’t come into play in the decision, but ultimately it’s all up to the customer.The largest number of impact attributes I’ve seen during the assessment process was about 13.The biggest problem we had with that assessment was creating definitions that www.syngress.com 116 Chapter 3 • Determining the Organization’s Information Criticality Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com. 286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 116 [...]... A: The OICM is required for the assessment to be compliant with the NSA INFOSEC Assessment Methodology If your organization is considering an IA-CMM rating from NSA based on your ability to perform the IAM for customers, you’ll need to ensure that this part of the IAM process exists Assessments that do not conform to the IA-CMM as released by NSA should not be submitted for use or review during the. .. nature of the NSA IAM, the OICM already covers most of the impacts for each information type the customer described As a result, the values can be carried over directly to the SCMs that the assessment team creates In some rare cases, we’ve found that some customers require a change in values from the OICM to the relevant SCM Because the IAM assessment process is a customer-based assessment, their opinion... the primary router where information enters and exits the network, each ATM kiosk on the network, the various Integrated Services Digital Network (ISDN) lines that tie the kiosks to the network, and the main ATM server back at the bank In the end, the critical path for a system depends on the type of information we’re analyzing and how the customer perceives the movement of the information within the. .. Chapter 4 changes hands to another entity that then becomes the responsible party for controlling access to the data A good example of something like this is where a bank transfers information on customer transactions to a partner bank Once the information leaves the hands of the local bank and moves into the customer’s own bank, the information then becomes the responsibility of the partner bank.Thus the. .. team.This time the focus is using the information we’ve created for the OICM to help us determine how the SCM should be laid out It’s important to have the technical representatives from the customer organization present during this process Locating System Boundaries The assessment team leader explains the process of creating the SCM as the next step in the NSA IAM .The simplest means for defining these systems... process, and store information.They can transmit information through verbal communication, store information in their memory or on paper, and process information in their brains But for the purposes of the assessment process, www.syngress.com 286 _NSA_ IAM_ 04. qxd 12/11/03 3:27 PM Page 133 System Information Criticality • Chapter 4 we need to ensure that the customer is clear on the practical definition... start with blank templates for the matrix and then fill in the blocks of the matrix based on the impact on the system of the loss of CIA on any particular information type as that system impacts the organization Our goal is to break the information we have obtained www.syngress.com 286 _NSA_ IAM_ 04. qxd 12/11/03 3:27 PM Page 135 System Information Criticality • Chapter 4 on the organization thus far into... team cannot make decisions for the customer Fortunately, since we’re at the point in the assessment process where the majority of critical information types have already www.syngress.com 286 _NSA_ IAM_ 04. qxd 12/11/03 3:27 PM Page 131 System Information Criticality • Chapter 4 been defined for the customer, the process of defining the specific systems should not be terribly painful Information lives in systems,... 286 _NSA_ IAM_ 04. qxd 12/11/03 3:27 PM Page 123 System Information Criticality • Chapter 4 Figure 4. 1 provides a good depiction of how detailed the process becomes as the security team progresses .The NSA IAM is covered under the Information Assessment section .The technical pieces of information evaluation and red teaming activities are not covered in this book Suffice it to say that we’ve moved down to the. .. One While looking at the new network diagrams the customer created for this assessment, the assessment team discovers a previously unknown firewall on the network .The firewall allows access to an information type on another system that was previously unknown With this new information, the Customer System 1 needs to be updated with the new information type Figure 4. 8 shows the new SCM for System 1 www.syngress.com . the columns across the top of the matrix with the names of the impact attributes we’ll be using for the assessment. The rows are labeled along the left edge with the information types that the customer. 122 Figure 4. 1 provides a good depiction of how detailed the process becomes as the security team progresses .The NSA IAM is covered under the Information Assessment section .The technical pieces of information. those for integrity of customer information .The loss of www.syngress.com 1 24 Chapter 4 • System Information Criticality 286 _NSA_ IAM_ 04. qxd 12/11/03 3:27 PM Page 1 24 availability of the account information