Professional Documents
Culture Documents
I.
Introduction a. Importance given to IT in ABCL b. What is the concern Information Security Plan Framework a. Steps for Framework b. Fitting the security components into a framework c. Extension MCcuber model with risk assessments Plan and Organize a. Risk Management
II. III.
3 4
IV.
V.
Implementation b. Security Policy c. Asset management d. Human resources management e. Physical and Environmental Management f. Communication and Operations Management g. Access Control h. Incident Management i. Disaster Recovery Management j. Compliance
14
Introduction
ABCL is a progressive downstream oil company in India over 70 years. It was nationalized as per the government policy of India. Importance given to IT in ABCL It has networked all its locations over 400 and deployed all possible applications to reap benefits from IT It transformed into IT Savvu ABCl It has got implemented all state of art systems such as SAP,SCM,B2B and B2C Rich intranet apart from apecialized applications
So there is a need for comprehensive security plan for the company ABCL.
Framework:
This security plan is Needed to protect the confidentiality, integrity and availability of data and safeguard information assets and resources. To identify processes and techniques that promotes secure communications and the appropriate protection of information. To establish a common information security program framework that is consistent with business needs.
This framework identifies the twelve key components that should be considered when implementing, reviewing, or seeking to improve the value of its information security plan. There are different ways of describing a life cycle of any process Steps for Framework: We will use the following steps: Plan and organize Risk Management Implement security policies Asset management Human resource management Physical and Environmental Management Communication and Operations Management Access Control Incident Management Disaster Recovery Management Compliance
Fitting the security components into a framework: Mccumber cube gives a framework to implement the information security plan. It gives a multi dimensional view required to implement information assurance program. The three dimensions are Security services Information states Counter measures
Viewing the cube from different angles provides a a way to consider risk from different perspectives. The three primary aspects of the cube involve: Information states These represent the various forms in which information can be found within a system. Information is the fundamental aspect of what it is that must be protected. Processing Information held in volatile memory or currently manipulated through the processor Storage This generally refers to non-volatile storage such as files on hard drives or backup media Transmission Information transiting network media Countermeasures These are elements which can be used to defend a system from attack, which can be used to protect information in its various states. People All individuals associated with a system to include administrators and users Policies and practices Documented policies and procedures used to guide people interacting with the system; work flows, separation of duties, and least privilege Technology Hardware and software which comprise the system such as operating systems, applications, networking devices, and security tools 5
Security services These are the ultimate security goals of a system. They are not concrete but intangible. Confidentiality Protecting information from an unauthorized or unintended disclosure Integrity A quality which prevents the unauthorized alteration or destruction of information Availability The ability to retrieve requisite information in a timely manner for an authorized user The McCumber Cube can be used by selecting a desired security service and considering what countermeasures must be implemented to protect the affected information states. This can be viewed as
Attack
Information state
Counter measures
Secuity goal
Example: Lets view the model for the service of availability which is one of the security services in the model. Network Availability:
Counter measures: Attack : Denial of Service Information state: Transmission Technolgy: Intrusion detection Policy: Monitoring People: incident response Secuity goal: Availabilty
Extension MCcuber model with risk assessments This model could also be used in a risk framework to ascertain the level of risk present for any given situation in a network environment. The perceived risks coupled with their likelihood with this McCumber Cube extension could be used to evaluate system risk.
Threat
Likelihood
Counter measures
Risk
The output after these two steps follows this template Business Process Marketing planning and execution Refinery operations 3. Identify or define assets: a. Each business process relies on multiple assets Identify the assets and data items that are part of this business process. b. Although the majority of assets that will be identified will be informational, an asset can be of the following types: i. Informational most assets that are defined will be informational; they will be data objects. ii. Functional for example, an Internet connection can be a functional asset. iii. Physical any physical component or equipment can be an asset. Operational concern Availability Confidentiality
b. The two asset measurements will be rated on a scale of 1 to 5 (1 not important, 5 extremely important): i. Sensitivity the relative measurement of damage to the business process if the asset was disclosed to unauthorized users, such as competitors. ii. Criticality the relative measurement of how crucial the asset is to the accomplishment of the business process.
6. Determine importance:
a. Importance is a subjective rating of high, medium, low, or none assigned to each asset. b. This rating determines the importance of the asset to the business process. c. The importance rating is determined from the asset measurements assigned in the previous step and a subjective analysis of those values. i. Although the value assigned to each asset measurement will be independent of the operational concerns of the business process, the importance rating will have to consider the operational concerns. A. For example, an asset with a sensitivity value of 4 and a criticality value of 1 may have an importance rating of high, if sensitivity is more of a concern to the process than criticality. On the other hand, if sensitivity is of low concern and criticality is of higher concern, then the importance rating will be low B. There is no mathematical way to determine the importance rating; the factors above have to be combined with an awareness of the organizations business and operations to determine the rating that makes the most sense. Template for Asset classification Asset Type (inforantional/p hysical,logical) Business role Access controls Supporting architecture Sensitiv Critical Importa ity(1 to ity(1 to nce(high 5) 5) , medium, low)
Describe Risks
Describe how each vulnerability creates a risk to the system in terms of confidentiality, integrity, availability, accountability elements that may result in a compromise of the system.
10
Likelihood of Occurrence Levels Likelihood Extreme Description Likely to occur multiple times per day
Damaging Serious
Critical
11
This table shows the resulting risk level, for each degree of likelihood and each level of severity.
Risk Levels
Likelihood of Occurrence Impact Severity Insignificant Minor Significant Damaging Serious Critical
Low
Low
Low
Low
Low
Low
12
For new systems, the next steps would include creating a sensitivity assessment, system security requirements, risk assessment report, and system security plan in the SDLC. The following Risk register template shows all the threats, vulnerabilities and its risk level and corresponding strategies.
Implementation:
Security Policy
The objective of information security policy is to provide management direction and support for information security in accordance with business requirements and governing laws and regulations. Information security policies will be approved by management, and published and communicated to all employees and relevant external parties. These policies will set out approach to managing information security and will align with relevant statewide policies. Information security policies will be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. Each policy will have an owner who has approved management responsibility for the development, review, and evaluation of the policy. Reviews will include assessing opportunities for improvement of information security policies and approach to managing information security in response to changes to companies environment, new threats and risks, business circumstances, legal and policy implications, and technical environment. The following are some of the security policies implemented to control the information security Information Security Compliance Policy 14
Acceptable Use of Information Technology Resources Confidentiality Agreement Information Security Roles & Responsibilities Data Classification & Handling Policy Identity and Access Management Policy Password Standards Backup & Recovery Guidelines Data Sanitization Guidelines Media Destruction Procedure
Asset management Information assets: It is a requirement of Information Standard 44, Information asset custodianship (IS44) that company identify their information assets establish and maintain an information asset register. company may wish to use this register or establish a separate one, to record the information security classification of its information assets. For information assets that are public records, their retention and disposal must be managed in accordance with a retention and disposal schedule approved by the state archivist Control of technology devices It is a requirement of Information Security Policy Mandatory Clauses that Company identify their ICT assets, document them and assign owners for the maintenance of information security controls. ICT assets must be assigned information security controls commensurate with the highest level of security classification applied to the information assets contained within or transmitted via the ICT asset. Human resources management Pre-employment Depending on the nature of the business, consideration should be given as to whether: specific information security clauses should be included in terms and conditions of employment (eg. responsibilities and disciplinary processes) additional scrutiny is required during the recruitment and selection phase for positions involving exposure to classified or sensitive information or where relevant legislation is in place (eg. security assessments and criminal history checks).
During employment Induction, training and awareness programs The information security induction, training and awareness program should: address all levels of staff and all areas of the agency cover the following: general employee responsibilities information security responsibilities concerned with particular the correct operation of information systems and ICT facilities and devices 15
reporting of information security events, weaknesses and incidents Information security related responsibilities within the agency code of conduct and the disciplinary penalties for breaches.
Post-employment It is recommended that company also ensure that procedures are in place for termination of employment. To meet this requirement, it is suggested that agencies implement: exit interviews that ensure the employee understands their continuing responsibilities for maintaining information confidentiality and separation checklists that confirm: Exit interview has been conducted All has been returned (eg. access cards/keys, credit cards, mobile phones) The employees user ID has been disabled and access rights revoked. Physical and Environmental Management Building controls and secure areas The level of building and secure area controls to be implemented would depend on the classification of information assets stored Equipment security The level of controls to be applied to agency equipment would depend on the classification of the information assets the equipment stores. The company should provide some guidance with regard to the following controls: preparation and handling removal from workplace and monitoring discussing classified information (including telephone and video conference) copying and storage electronic transmission archive and disposal
Communication and Operations Management Responsibilities and procedures for the management and operation of all information processing facilities will be established. As a matter of policy, segregation of duties will be implemented, where appropriate, to reduce the risk of negligent of deliberate system or information misuse. Precautions will be used to prevent and detect the introduction of malicious code and unauthorized mobile code to protect the integrity of software and information. To prevent unauthorized disclosure, modification, removal or destruction of information assets, and interruption to business activities, media will be controlled and physically protected. Procedures for handling and storing information will be established and communicated to protect information from unauthorized disclosure or misuse. Exchange of 16
sensitive information and software with other agencies and organizations will be based on a formal exchange policy. Media containing information will be protected against unauthorized access, misuse or corruption during transportation beyond companys physical boundaries. Company should mange Application integrity Backup procedures Network security Media handling Information exchange eCommerce
Access Control Access to information, information systems, information processing facilities, and business processes will be controlled on the basis of business and security requirements. Formal procedures will be developed and implemented to control access rights to information, information systems, and services to prevent unauthorized access. Users will be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords. Users will be made aware of their responsibilities to ensure unattended equipment has appropriate protection. A clear desk policy for papers and removable storage devices and a clear screen policy will be implemented, especially in work areas accessible by the public. Steps will be taken to restrict access to operating systems to authorized users. Protection will be required commensurate with the risks when using mobile computing and teleworking facilities. Company should incorporate some of the following to manage the access control Access control policy Authentication User access User responsibilities Network access Operating system access Application and information access
Incident Management Information security incidents will be communicated in a manner allowing timely corrective action to be taken. Formal incident reporting and escalation procedures will be established and communicated to all users. Responsibilities and procedures will be established to handle information security incidents once they have been reported. Event/weakness reporting Companies should develop their policies and/or procedures for information security event and weakness reporting 17
Incident procedures Companies should develop their procedures to manage information security incidents
Disaster Recovery Management The objective of business continuity management is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process will be established to minimize the impact on company and recover from loss of information assets to an acceptable level through a combination of preventive and recovery controls. A managed process will be developed and maintained for business continuity throughout the agency that addresses the information security requirements needed for company business continuity Compliance Legal requirements Company should manage information security related legal requirements is included .However, this is no replacement for agencies seeking legal advice on the specific legal requirements that apply to them from their internal legal section. Policy requirements Information security policies, procedures and compliance should be reviewed and reported on to appropriate management at least annually to ensure the reliability and overall effectiveness of the security controls for all information systems, networks infrastructures and applications. Audit requirements Company should ensure that appropriately qualified personnel are assigned to audit the compliance of the information environment against companys policies, processes and industry technical standards to ensure appropriate security levels are maintained. These personnel should, where practical, not be involved in the operational information or systems environment of the company.
18