Information Security FUNDAMENTALS Second Edition Thomas R Peltier Information Security FUNDAMENTALS Second Edition Information Security FUNDAMENTALS Second Edition Thomas R Peltier CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2014 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Version Date: 20130626 International Standard Book Number-13: 978-1-4398-1063-7 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com To the souls that left us too early: Justin Peltier, Gene Schultz, and Brad Smith They were always eager to try new things first— I know they will make our next meeting a joyous occasion Contents Acknowledgments ix Introduction xi Information Security Fundamentals xiii Editor xxv Contributors .xxvii 1 Developing Policies .1 THOMAS R PELTIER 2 Organization of Information Security 17 PATRICK D HOWARD 3 Cryptology 37 MARIA DAILEY 4 Risk Management: The Facilitated Risk Analysis and Assessment Process 59 THOMAS R PELTIER 5 Building and Maintaining an Effective Security Awareness Program .109 JOHN G O’LEARY 6 Physical Security .147 JOHN A BLACKLEY 7 Disaster Recovery and Business Continuity Planning 161 KEVIN McLAUGHLIN 8 Continuity of Operations Planning 169 JEFFERY SAUNTRY vii viii ◾ Contents 9 Access Controls 219 KIMBERLY LOGAN 10 Information System Development, Acquisition, and Maintenance 239 QUINN R SHAMBLIN 11 Information Security Incident Management .273 BRAD SMITH 12 Asset Classification 297 THOMAS R PELTIER AND WILLIAM TOMPKINS 13 Threats to Information Security 327 JUSTIN PELTIER 14 Information Security Policies: A Practitioner’s View 349 CHARLES JOHNSON Glossary .357 Appendix A: Facilitated Risk Analysis and Assessment Process (FRAAP) 369 Appendix B: Business Impact Analysis 383 KEVIN McLAUGHLIN Acknowledgments This book is the combined effort of many industry professionals This group includes John Blackley, Maria Dailey, Pat Howard, Charles Johnson, Kimberly Logan, Kevin McLaughlin, John O’Leary, Justin Peltier, Tom Peltier, Jeff Sauntry, Quinn Shamblin, Brad Smith, and William Tompkins For more than a decade, SecureWorld has expanded and improved the concept of affordable regional security conferences By ensuring knowledgeable speakers and quality educational and training programs, the security professional is able to stay current and cultivate contacts to help provide a means to get questions answered and problems solved Mike O’Gara, Kerry Nelson, and the entire SecureWorld team are serving the industry well No one has all the answers to any question, so the really “smart” person cultivates good friends Being in the information security business for nearly 40 years, I have had the great good fortune of having a number of such friends and fellow professionals This group of longtime sources of great information includes John and Jane O’Leary, Lisa Bryson, Mike Corby, Terri Curran, Peter Stephenson, Merrill Lynch, Bob Cartwright, Pat Howard, Cheryl Jackson, Becky Herold, Ray Kaplan, Anne Terwilliger, David Lynas, John Sherwood, Herve Schmidt, Antonio and Pietro Ruvolo, Wayne Sumida, Dean Feldpausch, and William H Murray My working buddies also need to be acknowledged My son Justin was the greatest asset any father and information security team could ever hope for Over the years, we logged thousands of air miles together and touched five continents Every day I learned something new from him I miss him greatly each and every day The other working buddy is John Blackley, a strange Scotsman who makes my life more fun and interesting I’ve worked with John since 1985 and have marveled at how well he takes obtuse concepts and condenses them so that even management types can understand ix Appendix A ◾ 363 Sickness or other absence could render some critical files inaccessible A bomb threat could prevent access to the building Terrorist attack on local facilities could affect access to company system and information Theft of equipment or other information could affect ability to perform job assignments Insufficient cross-training of critical procedures could affect the company’s mission Insufficient or missing desk procedures could affect department’s ability to complete tasks Availability of information resources controlled by a third party could affect company processes Rating Threat Availability Damaged or altered storage or hardware media could render systems or information unavailable Inadequate version control could cause back-level programs to be run Users could lose or misplace files Vandalism and sabotage could be attempted to the network Number of software licenses could be insufficient to meet requirements Probable High Use Moderate Medium Matrix Rare Low Likelihood Impact Risk Level 364 ◾ Appendix A Insufficient personnel resources could affect business processes A malicious computer virus could be introduced via e-mail or removable media Denial of service attacks from malicious Internet users outside the company could render system or information inaccessible Employee could cause a document to be temporarily inaccessible due to human error A strike or protest could prevent access to the building Rating Probable High Use Moderate Medium Matrix Rare Low Company Likelihood Table Term Likelihood Definition A measure of how likely a threat may occur during the next 12 months Threshold Level Probable Anticipated that the threat will occur one or more times during the next 12 months Moderate Possible that the threat may occur within the next 12 months Rare Highly unlikely that the threat will occur within the next 12 months Appendix A ◾ 365 Not Applicable Threat does not apply to this division’s work process Company Impact Table Term Impact Definition The effect of a threat being carried out on the mission of the division under review Severity Level High An event with the potential to lead to permanent or longterm damage to the company’s ability to achieve its mission Medium A significant event that can be managed under normal circumstances by the division Low An event where the consequences can be absorbed through normal activity Risk Matrix Impact Likelihood Low Medium High Probable Moderate High High Moderate Low Moderate High Rare Low Low Moderate Risk Action, Acceptance Level and Notification Table Risk Level Action Acceptance Level Notification Requirement High Requires immediate corrective action Executive Director Company Executive Director Moderate Requires corrective action Division Director Division Director—possibly Company Executive Director Continue to monitor Manager Division Director Low Appendix B: Business Impact Analysis Kevin McLaughlin The first order of business is to make sure that we know what systems are critical to maintaining an acceptable level of business service for our customers The business impact analysis (BIA) is the critical component to understanding what services and what associated systems need to be restored as well as in what order and how quickly they need to be restored Once organizational business management align on what items should be on the BIA (see Figure B.1), we then have a clear understanding of what services need to be restored and how quickly they need to be restored To get business management alignment, the BIA process work needs to have an organizational sponsor who is high up enough in the organization to have authority over the business areas that are making the BIA decisions This sponsor will assist with assuring that these decisions are made, will help negotiate any “tie-breaker” sessions where two services are seen as equal in criticality, and will ensure that business units engage in the BIA process as needed to develop the BIA outputs The sponsor will also help the business unit’s work through the risk analysis that must take place when deciding whether or not to bring a system up quickly after an event As Bergland and Pederson (1997, p 291) stated in a report on the effects of safety regulation on the safety and well-being of Norwegian fisherman, costly regulation induced “the individual rational fisherman to behave in a way which increases their risks” of injury This behavior is caused by a fundamental risk analysis being conducted on the part of the fisherman Fishermen asked themselves if it will it cost them more to put safeguards in place than it will to suffer the accident or loss caused by a negative event Extrapolating that risk analysis to the area of business continuity and DR planning, it is feasible to believe that senior business managers in other industries will conduct similar analyses Will it cost me more to implement the required DR infrastructure than it would for me to recover from a 367 368 ◾ Appendix B Application Priority ranking (1–9) Return to Acceptable operation data loss (time) (days) Access to critical systems AD/LDAP Basic web pages eMail Finance Human resources Network services–enough to run the critical systems ERP system business data warehouse Comments Needed in order to access systems using User names and passwords Also used by various applications to access systems Homepage with status event and recovery efforts Basic email functionality Payroll, loans, payments, etc Employee processing, reporting, records management, etc Connects the systems and supporting systems together Most applications will not work without a basic network in place Contains a multitude of data that is critical to organizational operations Figure B.1 Example BIA template catastrophic event that may or may not occur sometime in the future? This is an impactful question that needs to be fully considered in our current economy downtrend that is causing organizations to pull back from IT spending The reality is that many organizations are simply too large to conduct a holistic BIA that incorporates feedback and discussion from every business unit that uses a service or part of a service and, therefore, the sponsor must also be in a position to speak for those units Not every business unit needs direct involvement in the BIA hierarchal and rating discussions but they need to have their voice heard Indirectly, a BIA survey instrument can be sent to each and every organizational unit asking each person in the company to rank order a core set of services This data can then be compiled and provided to the sponsor to assist them in their decision-making process and in speaking to the needs and viewpoint of the minor business units Once ready to start the ongoing BIA discussions, it is critical to host a kick-off meeting in which the process is explained, the sponsors provide their endorsement to getting the BIA completed, and their ongoing support to the overall organizational DR planning During the BIA definition process, information about the following has to be gathered: ◾◾ What is the financial effect if the system is down and whether or not this financial effect increases the longer the system is down? ◾◾ Are there service level agreements (SLA) tied into this system and, if there is, what are the financial penalties incurred once the system is down past the agreed upon SLA timings? ◾◾ Are there manual workarounds for this service that are good enough? Appendix B ◾ 369 ◾◾ Is there a reputation or nontangible effect if the service is down for an extended period of time and is that effect one that will affect the survivability of the organization? ◾◾ What are all the systems and integration points between the systems that comprise this service and they have time dependencies as to which system needs to be up before one of the other systems can work? Example: the e-Commerce systems are brought back online but if the network is still down, e-Commerce transactions are not going to take place ◾◾ If this service goes down and we decide not to recover it in a quick time frame or consider it a critical system can (1) the business survive that decision or (2) can insurance be purchased to cover the financial effect suffered by a service being down until more critical systems are restored? The overall goal of the BIA is to provide a very clear roadmap to the recovery team of the order that systems will be brought back online Although a lot of work is being done in parallel and although good IT stewards are going to their best to bring all the business systems up as quick as they can, it is critical to organizational survivability that the most critical systems are recovered first and that they get the attention from people and other resources that they need to recover in order of priority It does not the business any good to have BIA item no 250 brought up before BIA item no 1, and if key resources and personnel were used to bring up BIA item no 250 when they could have helped with the quicker restoration of BIA item no 1, then that should be seen as an organizational failure A typical BIA creation process should look like this: a key resource is identified to complete the BIA, the BIA sponsor(s) are identified, a survey is sent out to identify what are perceived to be the critical services, an information meeting is conducted (in person and virtually), the initial hierarchical list of services (according to the initial survey) is compiled, and interviews and meetings take place to establish rank order for the critical systems It is important that transparency be maintained throughout the process and that what is thought to be the final rank order results are aligned across all the major business units involved in making the BIA ranking decisions Lastly, the results should be shared with the sponsor who will make suggestions and decisions based on his knowledge of how impactful the listed services are to the organization This review by the sponsor may lead to a revisit of the interviews and meetings that establish rank order for the services and this reiterative process between the business groups and sponsor may occur more than once before a final ranking is agreed upon Figure B.2 depicts this process 370 ◾ Appendix B nning DR pla BIA lead identified Interviews and meetings take place to establish rank order Sponsor(s) identified and commitment obtained Hierarchical list of services compiled Critical services survey Information meeting Figure B.2 DR planning Information Security Analyst Provide Company Owner a list of business processes, systems, applications, and/or programs that have been identified as being “Owned” by that specific division COMPANY Owner (Division Director) Verify that business process list is complete and accurate Using the BIA Worksheet (see below), fill in the appropriate information The worksheet is divided into three sections (header, activity period, and BIA score) The Criticality Table is also provided and used in step Fill in worksheet header with name of division, director, business process being analyzed, date of BIA, and who conducted BIA (if other than the Director) Using the activity period portion of the Impact Table, identify the business process activity periods This could be normal, month-end, quarter-end, year-end, or some other time frame Using the Criticality Table as a guide, select the appropriate ranking level for each activity period as related to each business attribute (reputation, regulatory, customer, financial) Appendix B ◾ 371 Enter the numeric value for the criticality ranking level selected for each category on the BIA Impact Table in the proper column Once all appropriate impact values have been entered, multiply the impact values by the weight value and enter the product in the BIA Rating column When all of the multiplication products have been entered, add the total in each column and enter the sum in the Total Score box (the scores should range between a low of 4.5 and a high of 19.5) After the form is completed and signed by the Division Director, submit the form to the Company Information Security Project Analyst (ISA) ISA Enter the Division’s BIA results into the company business process criticality log Submit results to Information Security Steering Committee (ISSC) for review and approval ISSC Review and approve or return for additional work (in either instance, the report is returned to ISPM) ISA If approved, update company business process criticality list If returned for more work, return to company division with recommendations for modifications (4) BIA Worksheet Company Business Impact Analysis Worksheet Division Name Formal Division Name BIA date Date BIA was conducted Director Name Director’s name Title Director’s formal title (for example, Executive Director) Business Process Name Application, system, program, business process, etc Phone Director office phone number BIA Conducted by Name of person conducting the BIA 372 ◾ Appendix B (5) Activity Period Use the BIA Criticality Table as a Guide to Identify the Ranking Level for Each Activity Period Identify Activity Periods Reputation Regulatory Customer Financial Normal Peak (e.g., month-end) Peak (e.g., quarter-end) Peak (e.g., year-end) (6) Criticality Table BIA Criticality Table Ranking level Reputation Regulatory Customer Financial Actual or potential effect on the reputation of Company in external environments This includes the views held by all regulatory bodies that regulate any element of company’s activities Actual or potential effect arising from process failure, which leads to an inability to comply with laws, regulations, or policies and procedures Actual or potential effect arising from process failure, which leads to an inability to provide service to our customer or execute against our business objectives Actual or potential loss within any 12-month period Appendix B ◾ 373 Urgent = Likelihood of or actual adverse comment in any national media Significantly affects our reputation on a national level Likelihood of or actual disapproval by any of our regulators Affecting more than 25% of our customers or employees Total failure of a third-party service provider Loss of a key system or failure to meet a business-critical process deadline Will inhibit our ability to achieve our strategic objective Management failure at an executive level In excess of $10 million in a 12-month period High = Any event which may affect our standing with our regulators Affecting between 5% and 25% of our customers or employees Partial failure of a third-party service provider Loss of a key system, which causes significant process or customer impact Will delay our ability to achieve our strategic objectives Management failure at a business division level Between $2 million and $10 million in a 12-month period Likelihood of or actual adverse comment in the local press or equivalent Affects our reputation on a local level 374 ◾ Appendix B Medium = Any event that may tarnish our reputation with a specific customer, group, or third party Minor regulatory issue requiring the oversight of internal resources Affecting up to 5% of our customers or employees Deteriorating performance of a third-party service provider Loss of a key system that causes a minor process or customer impact Management failure at a supervisory level Between $200,000 and $2 million in a 12-month period (7) BIA Impact Table BIA Impact Table Category Impact Normal Period* U = 3, H = 2, M = Weight BIA Rating (Normal) Impact Peak Period 1* U = 3, H = 2, M = Weight Reputation 2 Regulatory 2 Customer 1.5 1.5 Financial 1 Normal Peak Total Score: Total Score: Impact × Weight = BIA Rating BIA Rating (Peak 1) Appendix B ◾ 375 BIA Impact Table Category Impact Peak Period 2* U = 3, H = 2, M = Weight BIA Rating (Peak 2) Impact Peak Period 3* U = 3, H = 2, M = Weight Reputation 2 Regulatory 2 Customer 1.5 1.5 Financial 1 Peak Peak Total Score: Total Score: Impact × Weight = BIA Rating BIA Rating (Peak 3) Reference Bergland, H and Pedersen, P Catch regulation and accident risk: the moral hazard of fisheries’ management Marine Resource Economics 12, 1997: 281–291 Information Technology / Security & Auditing Developing an information security program that adheres to the principle of security as a business enabler must be the first step in an enterprise’s effort to build an effective security program Following in the footsteps of its bestselling predecessor, Information Security Fundamentals, Second Edition provides information security professionals with a clear understanding of the fundamentals of security required to address the range of issues they will experience in the field The book examines the elements of computer security, employee roles and responsibilities, and common threats It discusses the legal requirements that impact security policies, including Sarbanes-Oxley, HIPAA, and the Gramm-Leach-Bliley Act Detailing physical security requirements and controls, this updated edition offers a sample physical security policy and includes a complete list of tasks and objectives that make up an effective information protection program • Includes ten new chapters • Broadens its coverage of regulations to include FISMA, PCI compliance, and foreign requirements • Expands its coverage of compliance and governance issues • Adds discussions of ISO 27001, ITIL, COSO, COBIT, and other frameworks • Presents new information on mobile security issues • Reorganizes the contents around ISO 27002 The book discusses organization-wide policies, their documentation, and legal and business requirements It explains policy format with a focus on global, topic-specific, and application-specific policies Following a review of asset classification, it explores access control, the components of physical security, and the foundations and processes of risk analysis and risk management The text concludes by describing business continuity planning, preventive controls, recovery strategies, and how to conduct a business impact analysis Each chapter in the book has been written by a different expert to ensure you gain the comprehensive understanding of what it takes to develop an effective information security program K10531 an informa business www.crcpress.com 6000 Broken Sound Parkway, NW Suite 300, Boca Raton, FL 33487 711 Third Avenue New York, NY 10017 Park Square, Milton Park Abingdon, Oxon OX14 4RN, UK ISBN: 978-1-4398-1062-0 90000 781439 810620 www.auerbach-publications.com ... Government works Version Date: 20130626 International Standard Book Number-13: 978-1-4398-1063-7 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources