Information Security Plan at ABCL

Kranthi Kumar 10BM60001

I.

Introduction a. Importance given to IT in ABCL b. What is the concern Information Security Plan Framework a. Steps for Framework b. Fitting the security components into a framework c. Extension MCcuber model with risk assessments Plan and Organize a. Risk Management

II. III.

3 4

IV.

V.

Implementation b. Security Policy c. Asset management d. Human resources management e. Physical and Environmental Management f. Communication and Operations Management g. Access Control h. Incident Management i. Disaster Recovery Management j. Compliance

14

Introduction
ABCL is a progressive downstream oil company in India over 70 years. It was nationalized as per the government policy of India. Importance given to IT in ABCL It has networked all its locations over 400 and deployed all possible applications to reap benefits from IT It transformed into IT Savvu ABCl It has got implemented all state of art systems such as SAP,SCM,B2B and B2C Rich intranet apart from apecialized applications

What is the concern

With increasing reliance on IT, top management became concerned with Information security And also with the increase in the size of the company with 6 SBUs, 3000 dealers & distributors, 5000 vendors and 5000 retail outlets the complexity is increasing and the information is crossing the boundaries.

So there is a need for comprehensive security plan for the company ABCL.

Information Security Plan

Information Security Plan (ISP) is designed to protect information and critical resources from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Information Technology (IT) security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures, and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security. This plan governs the privacy, security, and confidentiality of ABCL, especially highly sensitive data, and the responsibilities of departments and individuals for such data. IT security measures are intended to protect information assets and preserve the privacy of ABCL employees, sponsors, suppliers, and other associated entities. Inappropriate use exposes ABCL to risks including virus attacks, compromise of network systems and services, and legal issues. To effectively assess and implement security plan in information technology (IT) systems, it is vital that a structured, information-centric process is followed

Framework:
This security plan is Needed to protect the confidentiality, integrity and availability of data and safeguard information assets and resources. To identify processes and techniques that promotes secure communications and the appropriate protection of information. To establish a common information security program framework that is consistent with business needs.

This framework identifies the twelve key components that should be considered when implementing, reviewing, or seeking to improve the value of its information security plan. There are different ways of describing a life cycle of any process Steps for Framework: We will use the following steps: Plan and organize Risk Management Implement security policies Asset management Human resource management Physical and Environmental Management Communication and Operations Management Access Control Incident Management Disaster Recovery Management Compliance

Fitting the security components into a framework: Mccumber cube gives a framework to implement the information security plan. It gives a multi dimensional view required to implement information assurance program. The three dimensions are Security services Information states Counter measures

Viewing the cube from different angles provides a a way to consider risk from different perspectives. The three primary aspects of the cube involve: Information states These represent the various forms in which information can be found within a system. Information is the fundamental aspect of what it is that must be protected. Processing Information held in volatile memory or currently manipulated through the processor Storage This generally refers to non-volatile storage such as files on hard drives or backup media Transmission Information transiting network media Countermeasures These are elements which can be used to defend a system from attack, which can be used to protect information in its various states. People All individuals associated with a system to include administrators and users Policies and practices Documented policies and procedures used to guide people interacting with the system; work flows, separation of duties, and least privilege Technology Hardware and software which comprise the system such as operating systems, applications, networking devices, and security tools 5

Security services These are the ultimate security goals of a system. They are not concrete but intangible. Confidentiality Protecting information from an unauthorized or unintended disclosure Integrity A quality which prevents the unauthorized alteration or destruction of information Availability The ability to retrieve requisite information in a timely manner for an authorized user The McCumber Cube can be used by selecting a desired security service and considering what countermeasures must be implemented to protect the affected information states. This can be viewed as

Attack

Information state

Counter measures

Secuity goal

Example: Lets view the model for the service of availability which is one of the security services in the model. Network Availability:

Counter measures: Attack : Denial of Service Information state: Transmission Technolgy: Intrusion detection Policy: Monitoring People: incident response Secuity goal: Availabilty

Extension MCcuber model with risk assessments This model could also be used in a risk framework to ascertain the level of risk present for any given situation in a network environment. The perceived risks coupled with their likelihood with this McCumber Cube extension could be used to evaluate system risk.

Threat

Likelihood

Counter measures

Risk

Plan and Organize

Risk management: Risk Management refers to the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. A risk management program is an essential management function and is critical to successfully implement and maintain an acceptable level of security. Detailed Outline of the Risk Assessment Process 1. Identify business process: a. The risk methodology determines risk for a particular business process. It is the business processes that are the foundation of the companys business and therefore risk should be defined in regard to these processes. b. This methodology will tie the business processes to the assets they rely on, to the architecture that supports the assets, and to the vulnerabilities of the architecture. Together this will lead to a determination of the risks of the business process. 2. Determine operational concerns: a. There are three operational concerns to be considered: i. Confidentiality the privacy and protection of data from unauthorized access or exposure. ii. Integrity the accuracy of the data or systems used by your organization. iii. Availability the accessibility of an asset for its intended use at a given point in time. b. These operational concerns apply to the business process, not to each individual asset. The operational concerns are defined with regard to the output of the business process.

The output after these two steps follows this template Business Process Marketing planning and execution Refinery operations 3. Identify or define assets: a. Each business process relies on multiple assets Identify the assets and data items that are part of this business process. b. Although the majority of assets that will be identified will be informational, an asset can be of the following types: i. Informational most assets that are defined will be informational; they will be data objects. ii. Functional for example, an Internet connection can be a functional asset. iii. Physical any physical component or equipment can be an asset. Operational concern Availability Confidentiality

4. For each asset determine:

Business role. Logical data flow. User population. Access rights and controls: i. Physical access. ii. Logical access. a. Supporting architecture: i. System and network hardware. ii. System and network operating systems. iii. System and network applications. iv. Network protocol v. System connectivity. vi. Physical environment.

5. Assign asset measurements:

a. Each asset will be rated for sensitivity and criticality with regard to the critical process in question.

b. The two asset measurements will be rated on a scale of 1 to 5 (1 not important, 5 extremely important): i. Sensitivity the relative measurement of damage to the business process if the asset was disclosed to unauthorized users, such as competitors. ii. Criticality the relative measurement of how crucial the asset is to the accomplishment of the business process.

6. Determine importance:
a. Importance is a subjective rating of high, medium, low, or none assigned to each asset. b. This rating determines the importance of the asset to the business process. c. The importance rating is determined from the asset measurements assigned in the previous step and a subjective analysis of those values. i. Although the value assigned to each asset measurement will be independent of the operational concerns of the business process, the importance rating will have to consider the operational concerns. A. For example, an asset with a sensitivity value of 4 and a criticality value of 1 may have an importance rating of high, if sensitivity is more of a concern to the process than criticality. On the other hand, if sensitivity is of low concern and criticality is of higher concern, then the importance rating will be low B. There is no mathematical way to determine the importance rating; the factors above have to be combined with an awareness of the organizations business and operations to determine the rating that makes the most sense. Template for Asset classification Asset Type (inforantional/p hysical,logical) Business role Access controls Supporting architecture Sensitiv Critical Importa ity(1 to ity(1 to nce(high 5) 5) , medium, low)

Identify Threats and Vulnerabilities

First, identify threats that could exploit system vulnerabilities. Identify all possible environmental, physical, human, natural, and technical threats. Consider the systems connections, dependencies with other systems, inherited risks and controls, risks from software faults and staff errors and malicious intent, and such factors as proximity to the Internet, incorrect file permissions, risks from maintenance procedures and personnel changes. Next, consider the potential vulnerabilities associated with each threat, to produce a pair. A vulnerability can be associated with one or more threats. Collect input from previous risk assessments, audits, system deficiency reports, security advisories, scanning tools, security test results, system development testing, industry and government listings

Describe Risks
Describe how each vulnerability creates a risk to the system in terms of confidentiality, integrity, availability, accountability elements that may result in a compromise of the system.

Identify Existing Controls

Identify existing controls that reduce the likelihood or probability of a threat exploiting a system vulnerability, and/or reduce the magnitude of impact of the exploited vulnerability on the system. Existing controls may be management, operational or technical controls depending on the threat / vulnerability and the risk to the system.

Determine Likelihood of Occurrence

Estimate the likelihood that a threat will exploit a vulnerability. Likelihood of occurrence is based on a number of factors that include system architecture, system environment, information system access and existing controls; the presence, motivation, tenacity, strength and nature of the threat; the presence of vulnerabilities; and the effectiveness of existing controls. Refer to this table to when estimating the likelihood that the threat will be realized and exploit the vulnerability on the system. Likelihood of Occurrence Levels Likelihood Negligible Very Low Low Medium High Very High Description Unlikely ever to occur Likely to occur two/three times every five years Likely to occur once every year or less Likely to occur once every six months or less Likely to occur once per month or less Likely to occur multiple times per month

10

Likelihood of Occurrence Levels Likelihood Extreme Description Likely to occur multiple times per day

Determine Severity of Impact

Determine the magnitude or severity of impact on the systems operational capabilities and the information it handles, if the threat is realized and exploits the associated vulnerability. Determine the severity of impact for each threat / vulnerability pair by evaluating the potential loss in each security category (confidentiality, integrity, availability, auditability, accountability) Impact Severity Levels Insignificant Little or no impact Minor Significant Minimal effort to repair, restore or reconfigure Small but tangible harm, maybe noticeable by a limited audience, some embarrassment, some effort to repair Damage to reputation, loss of confidence, significant effort to repair Considerable system outage, loss of connected customers, business confidence, compromise of large amount information Extended outage, permanent loss of resource, triggering business continuity procedures, complete compromise of information

Damaging Serious

Critical

Determine Risk Levels

Risk level is the likelihood of occurrence multiplied by the severity of impact. The final value is subject to the system business and technical owners discretion. Risk determination For each threat / vulnerability pair, assess the following: Likelihood of the threat attempting to exercise the vulnerability; Magnitude of impact if the threat / vulnerability exploit is successful; Adequacy of planned or existing security controls for reducing or eliminating risk; Note: The project team must decide whether to use only currently implemented controls for this analysis, or to include controls that are budgeted and scheduled for installation, and document that decision in the Report. Resulting risk to the information on the system from the threat and vulnerability.

11

This table shows the resulting risk level, for each degree of likelihood and each level of severity.

Risk Levels
Likelihood of Occurrence Impact Severity Insignificant Minor Significant Damaging Serious Critical

Negligibl e Very Low Low Medium High Very High Extreme

Low

Low

Low

Low

Low

Low

Low Low Low Low Low Low

Low Low Low Moderate Moderate Moderate

Low Moderate Moderate High High High

Low Moderate High High High High

Moderate High High High High High

Moderate High High High High High

Safeguard Determination Phase/Risk mitigation

The safeguard determination phase involves identification of additional controls, safeguards or corrective actions to minimize the threat exposure and vulnerability to exploitation for each threat/ vulnerability pair with a moderate or high risk level. The residual risk level is the amount of risk that would remain if the recommended control or safeguard were implemented. Safeguard determination steps: 1. Identify controls and safeguards to reduce the risk level of each risk-threat pair, if the risk level is moderate or high. 2. Determine the residual likelihood of occurrence of the threat if the recommended safeguard is implemented. 3. Determine the residual impact severity of the exploited vulnerability once the recommended safeguard is implemented. 4. Determine the residual risk level for the system. Consider safeguards related to testing and maintenance, improved audit capability, and restricting physical access.

12

Recommend Controls and Safeguards

Identify controls and safeguards to reduce the risk presented by each threat / vulnerability pair with a moderate or high risk level as identified in the Risk Determination Phase. When identifying a control or safeguard, consider: 1. 2. 3. 4. Security area where it belongs, such as management, operational, technical. Method it employs to reduce the opportunity for the threat to exploit the vulnerability. Its effectiveness in mitigating the risk to information. Policy and architectural parameters required for its implementation in the environment. 5. Information security category (confidentiality, integrity, availability, access control, audit, etc.) to which the safeguard applies. 6. Whether the cost of the safeguard is commensurate with its reduction in risk. If more than one safeguard is identified for the same threat / vulnerability pair, list them in this column in separate rows and continue with the analysis steps. The residual risk level must be evaluated during this phase of the assessment and may be further evaluated in risk management activities outside the scope of this project. If the recommended safeguard cannot be completely implemented in the environment due to cost, management, operational or technical constraints, document the circumstances and continue with the analysis. Consider control elements implemented as policies and procedures, training, and improved policy enforcement.

Determine Residual Likelihood of Occurrence

Follow the directions in section 2.4 of the Risk Determination phase, while assuming the selected safeguard has been implemented.

Determine Residual Severity of Impact

Follow the directions of the Risk Determination phase while assuming the selected safeguard has been implemented.

Determine Residual Risk Levels

Determine the residual risk level for the threat/vulnerability pair and its associated risk once the recommended safeguard is implemented. The residual risk level is determined by examining the likelihood of occurrence of the threat exploiting the vulnerability and the impact severity factors in categories of Confidentiality, Integrity and Availability. Follow the directions in of the Risk Determination phase to determine the residual risk level once the recommended safeguard is implemented. Depending on the nature and circumstances of threats and vulnerabilities, a recommended safeguard may reduce the risk level to Low. 13

For new systems, the next steps would include creating a sensitivity assessment, system security requirements, risk assessment report, and system security plan in the SDLC. The following Risk register template shows all the threats, vulnerabilities and its risk level and corresponding strategies.

Implementation:
Security Policy
The objective of information security policy is to provide management direction and support for information security in accordance with business requirements and governing laws and regulations. Information security policies will be approved by management, and published and communicated to all employees and relevant external parties. These policies will set out approach to managing information security and will align with relevant statewide policies. Information security policies will be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. Each policy will have an owner who has approved management responsibility for the development, review, and evaluation of the policy. Reviews will include assessing opportunities for improvement of information security policies and approach to managing information security in response to changes to companies environment, new threats and risks, business circumstances, legal and policy implications, and technical environment. The following are some of the security policies implemented to control the information security Information Security Compliance Policy 14

Acceptable Use of Information Technology Resources Confidentiality Agreement Information Security Roles & Responsibilities Data Classification & Handling Policy Identity and Access Management Policy Password Standards Backup & Recovery Guidelines Data Sanitization Guidelines Media Destruction Procedure

Asset management Information assets: It is a requirement of Information Standard 44, Information asset custodianship (IS44) that company identify their information assets establish and maintain an information asset register. company may wish to use this register or establish a separate one, to record the information security classification of its information assets. For information assets that are public records, their retention and disposal must be managed in accordance with a retention and disposal schedule approved by the state archivist Control of technology devices It is a requirement of Information Security Policy Mandatory Clauses that Company identify their ICT assets, document them and assign owners for the maintenance of information security controls. ICT assets must be assigned information security controls commensurate with the highest level of security classification applied to the information assets contained within or transmitted via the ICT asset. Human resources management Pre-employment Depending on the nature of the business, consideration should be given as to whether: specific information security clauses should be included in terms and conditions of employment (eg. responsibilities and disciplinary processes) additional scrutiny is required during the recruitment and selection phase for positions involving exposure to classified or sensitive information or where relevant legislation is in place (eg. security assessments and criminal history checks).

During employment Induction, training and awareness programs The information security induction, training and awareness program should: address all levels of staff and all areas of the agency cover the following: general employee responsibilities information security responsibilities concerned with particular the correct operation of information systems and ICT facilities and devices 15

reporting of information security events, weaknesses and incidents Information security related responsibilities within the agency code of conduct and the disciplinary penalties for breaches.

Post-employment It is recommended that company also ensure that procedures are in place for termination of employment. To meet this requirement, it is suggested that agencies implement: exit interviews that ensure the employee understands their continuing responsibilities for maintaining information confidentiality and separation checklists that confirm: Exit interview has been conducted All has been returned (eg. access cards/keys, credit cards, mobile phones) The employees user ID has been disabled and access rights revoked. Physical and Environmental Management Building controls and secure areas The level of building and secure area controls to be implemented would depend on the classification of information assets stored Equipment security The level of controls to be applied to agency equipment would depend on the classification of the information assets the equipment stores. The company should provide some guidance with regard to the following controls: preparation and handling removal from workplace and monitoring discussing classified information (including telephone and video conference) copying and storage electronic transmission archive and disposal

Communication and Operations Management Responsibilities and procedures for the management and operation of all information processing facilities will be established. As a matter of policy, segregation of duties will be implemented, where appropriate, to reduce the risk of negligent of deliberate system or information misuse. Precautions will be used to prevent and detect the introduction of malicious code and unauthorized mobile code to protect the integrity of software and information. To prevent unauthorized disclosure, modification, removal or destruction of information assets, and interruption to business activities, media will be controlled and physically protected. Procedures for handling and storing information will be established and communicated to protect information from unauthorized disclosure or misuse. Exchange of 16

sensitive information and software with other agencies and organizations will be based on a formal exchange policy. Media containing information will be protected against unauthorized access, misuse or corruption during transportation beyond companys physical boundaries. Company should mange Application integrity Backup procedures Network security Media handling Information exchange eCommerce

Access Control Access to information, information systems, information processing facilities, and business processes will be controlled on the basis of business and security requirements. Formal procedures will be developed and implemented to control access rights to information, information systems, and services to prevent unauthorized access. Users will be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords. Users will be made aware of their responsibilities to ensure unattended equipment has appropriate protection. A clear desk policy for papers and removable storage devices and a clear screen policy will be implemented, especially in work areas accessible by the public. Steps will be taken to restrict access to operating systems to authorized users. Protection will be required commensurate with the risks when using mobile computing and teleworking facilities. Company should incorporate some of the following to manage the access control Access control policy Authentication User access User responsibilities Network access Operating system access Application and information access

Incident Management Information security incidents will be communicated in a manner allowing timely corrective action to be taken. Formal incident reporting and escalation procedures will be established and communicated to all users. Responsibilities and procedures will be established to handle information security incidents once they have been reported. Event/weakness reporting Companies should develop their policies and/or procedures for information security event and weakness reporting 17

Incident procedures Companies should develop their procedures to manage information security incidents

Disaster Recovery Management The objective of business continuity management is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process will be established to minimize the impact on company and recover from loss of information assets to an acceptable level through a combination of preventive and recovery controls. A managed process will be developed and maintained for business continuity throughout the agency that addresses the information security requirements needed for company business continuity Compliance Legal requirements Company should manage information security related legal requirements is included .However, this is no replacement for agencies seeking legal advice on the specific legal requirements that apply to them from their internal legal section. Policy requirements Information security policies, procedures and compliance should be reviewed and reported on to appropriate management at least annually to ensure the reliability and overall effectiveness of the security controls for all information systems, networks infrastructures and applications. Audit requirements Company should ensure that appropriately qualified personnel are assigned to audit the compliance of the information environment against companys policies, processes and industry technical standards to ensure appropriate security levels are maintained. These personnel should, where practical, not be involved in the operational information or systems environment of the company.

18