INFORMATION ASSURANCE AND SECURITY 1

IMPLEMENTING INFORMATION SECURITY

 INFORMATION ASSURANCE AND SECURITY 1

To begin, an information security project manager must understand that implementing a

security project involves time, effort, and a great deal of communication and coordination.

In General, the implementation phase entails modifying the configuration and operation of the
organization’s information systems in order to improve their security.

This changes to the following are included:

1. Procedures (for example, through policy)
2. People (for example, through training)
3. Hardware (for example, through firewalls)
4. Software (for example, through encryption)
5. Data (for example, through classification)
INFORMATION ASSURANCE AND SECURITY 1

As you may recall from the previous

chapters, entails gathering information about
an organizational’s goals, technical
architecture, and information security
environment.

These factors are utilized to create the

information security blueprint, which serves
as the foundation for safeguarding the
organization’s information’s confidentiality,
integrity, and availability.
 INFORMATION ASSURANCE AND SECURITY 1

It serves as the foundation for safeguarding the

organization’s information’s confidentiality,
integrity, and availability.
It is translated into a project plan during the
implementation phase. these gives instructions to
the people who will be carrying out thethe
implementation phase.
These instructions focus on the security control
improvements that are required to strengthen the
security of the organizationa’s information system’s
hardware, software process, data, and personnel.
 INFORMATION ASSURANCE AND SECURITY 1

Organizational change is difficult to achieve, as the opening vignette of this chapter

indicates. The sections that follow go over the topics that must be addressed in a project
plan, such as project leadership, management, technical, and budgetary considerations,
and organizational resistance to change.

The major steps in executing the project plan are as follows:

1. Planning the project
2. Supervising task and action steps
3. Wrapping up
 INFORMATION ASSURANCE AND SECURITY 1

A detailed project plan is required for planning the implementation phase. A Project
Manager or a Project Champion is frequently tasked with establishingsuch a project plan.
These person oversees the project and delegated some tasks to other decision-makers.
Because most other employees lack the necessary information security background,
management authority, and technical understanding, the project manager is frequently
from the IT community of interest.
A simple planning tool such as the Work Breakdown Structure (WBS) can be used to
generate the project plan. To apply the WBS method, break down the project plan into its
primarily task first. The WBS contains the primary project task, as well as the following
properties for each:
1. Work to be accomplished (activities and deliverables)
2. Individuals (or skill set) assigned to perform the task
3. Start and end dates for the task (when known)
4. Amount of effort required for completion in hours or work days
5. Estimated Capital expenses for the task
6. Estimated noncapital expenses for the task
7. Identification of dependencies between and among tasks
 INFORMATION ASSURANCE AND SECURITY 1

The job that has to be done includes both actions and deliverables. A Deliverable is a
finished document or software module that can be used as a starting point for further task
or as a component of the final project.
The project planer should ideally give the assignment a name and detailed description. The
description should be precise enough to avoid ambiguity during the tracking process, but
not so much that the WBS becomes unmanageable.
The planner should highlight that the deliverable is a specification document suitable for
distribution to vendors if the goal is to prepare firewall specifications for the preparation of a
request for proposal (RFP).
INFORMATION ASSURANCE AND SECURITY 1

The project planner should specify the skill set or person (commonly referred to as a
resource) that will be required to complete the assignment. Individual namingshould be
avoided in earlyplanning attempts.
The project strategy should focus on organizational responsibilities or known skill sets
rather than allocating individuals. if any of the engineers in the network group can create
the specs for a router, the assigned resource will be indicated on the WBS as “Network
Engineer”.
Individuals can and should be assigned specific duties and action steps as the planning
process continues. When only the manager of the networks group can analyze RFP
answers and award a contract, for example, the project planner should designate the
network manager as the resource assigned to this duty.
 INFORMATION ASSURANCE AND SECURITY 1

The project planner should try to set completion dates solely for significant project
milestones in tne early phase of planning.

A Milestone is a moment in the project timeline when a task that has a significant impact on
the project’s progress is completed.

The deadline for delivering the final RFP to suppliers, for example, is a milestone since it
signifies the completion of all RFP preparation work. Projects is exacerbated by assigning
too many dates to too many projects early in the planning process.

Early in the planning process, planners can avoid this issue by assigning only key or
milestone start and end dates. Planners may add start and finish dates as needed later in
the planning process.
INFORMATION ASSURANCE AND SECURITY 1

The project planner should try to set completion dates solely for significant project
milestones in tne early phase of planning.

Estimating the time and resources needed for each task is crucial. Even with formal
processes, it's important to get input from those most familiar with the tasks to ensure
accurate estimates.
INFORMATION ASSURANCE AND SECURITY 1

Capital costs are associated with long-term assets (e.g., a firewall). However, accounting
practices vary, and some organizations may not consider software a capital expense.
INFORMATION ASSURANCE AND SECURITY 1

These costs include things like staff time, project contracts, and other expenses
related to the project's implementation. Different organizations treat these
differently; some may include them as capital expenses, especially if the project
represents a significant upgrade to infrastructure or if it's a small project
considered part of ongoing operations.
INFORMATION ASSURANCE AND SECURITY 1

Project planning must account for task dependencies. Predecessors are tasks that
must be completed before others, while successors are tasks that follow.
Understanding these dependencies is crucial for effective project management.
INFORMATION ASSURANCE AND SECURITY 1

planners must carefully consider how to break down jobs into subtasks and action
stages, and how to best manage these to achieve the project's goals.
INFORMATION ASSURANCE AND SECURITY 1

The amount of effort spent on information security is limited by available funding.

Cost-benefit analysis (CBA) is essential to justify expenses. Public organizations
face unique challenges due to their budgeting processes, often relying on grants
and facing scrutiny. Benchmarking against similar organizations' spending can
help in justifying budget requests. End-of-fiscal-year spending pressures are
common.
INFORMATION ASSURANCE AND SECURITY 1

The most significant information security controls should be prioritized in the

project plan. Budgetary constraints and the relative value/threat of information
assets guide the prioritization of controls. Less-important controls may be
addressed later if resources allow.
INFORMATION ASSURANCE AND SECURITY 1

Planning must account for the time needed to order, install, configure, and train
users on a new security control. The time to realize a return on investment should
be considered when choosing options.
 INFORMATION ASSURANCE AND SECURITY 1

The project's success depends on having qualified, trained, and available

personnel. If necessary staff aren't already available, they must be hired or trained.
INFORMATION ASSURANCE AND SECURITY 1

Equipment and service selection processes are often constrained. Businesses may
need to consider factors like specific technology, vendor capabilities, and long-
term maintenance costs when making purchasing decisions. Even smaller
purchases require detailed supporting documentation.
INFORMATION ASSURANCE AND SECURITY 1

Security-related technological changes should be transparent to users. However,

new procedures, authentication, and training may be necessary. Thorough
planning and user training (ideally 1-3 weeks before implementation) are crucial to
avoid resistance and potential security risks.
INFORMATION ASSURANCE AND SECURITY 1

A phased or pilot implementation of new security procedures or technology is

recommended. Sufficient training and communication are crucial, including
regular meetings and distribution of compliance documentation to ensure all
employees understand and agree to the new policies.
INFORMATION ASSURANCE AND SECURITY 1

Carefully assess and maintain the project scope. Implementing multiple security
controls simultaneously can lead to unforeseen conflicts and complications. A
smart plan limits the project scope to manageable components and schedules
tasks to avoid conflicts.
INFORMATION ASSURANCE AND SECURITY 1

Managing information security projects requires specialized skills and experience.

Even experienced project managers should seek expert advice when dealing with
advanced or integrated technologies. A formal bidding procedure may be
necessary for outsourcing.
INFORMATION ASSURANCE AND SECURITY 1

Successful implementation of information security projects requires strong

leadership and a champion from the general management community. The best
approach is to assign a senior IT manager or cross-functional team to oversee the
project, ensuring alignment with the business's unique needs and cultural context.
INFORMATION ASSURANCE AND SECURITY 1

Projects should use a negative feedback loop (cybernetic loop) to monitor

progress. Regularly measured progress is compared to the project plan. If
deviations occur, corrective action is taken (adjusting estimates or amending the
plan) to bring the project back on track. Corrective actions often involve trade-offs
among effort, time, and deliverable quality/quantity.
INFORMATION ASSURANCE AND SECURITY 1
INFORMATION ASSURANCE AND SECURITY 1

Project closure involves a procedural process led by a mid-level IT or information

security manager. This includes gathering documents, finalizing reports,
conducting a wrap-up meeting to address outstanding concerns, evaluating the
project's overall effort, and drawing conclusions about how to improve the
process in the future.
INFORMATION ASSURANCE AND SECURITY 1

Implementing security projects involves both technical and human components.

Technical aspects prioritize technology application, while human aspects focus on
multiple interfaces, outsourcing, and technological governance.
INFORMATION ASSURANCE AND SECURITY 1

Provisions: This involves meticulously planning the transition from the old to the
new system, establishing provisions for all components of the new security
system before implementation.

Direct Changeover ("Cold Turkey"): This is a rapid, complete switch to the new
system, abandoning the old one. While simple, it carries a high risk of service
disruption if the new system malfunctions.

Phased Implementation: This is a gradual rollout of the new system, introducing

elements incrementally. This minimizes disruption and allows for adjustments
during the transition
INFORMATION ASSURANCE AND SECURITY 1

Incremental Upgrade: This involves upgrading specific systems (like VPNs or IDPS)
one at a time before connecting them to the network. This is often used when
upgrading network security components.

Parallel Operations: This strategy involves running both old and new security
systems simultaneously during a transition. While it provides a backup if one
system fails, managing two systems concurrently is complex and often
disadvantageous.
INFORMATION ASSURANCE AND SECURITY 1

Carefully assess and maintain the project scope. Implementing multiple security
controls simultaneously can lead to unforeseen conflicts and complications. A
smart plan limits the project scope to manageable components and schedules
tasks to avoid conflicts.
INFORMATION ASSURANCE AND SECURITY 1

The Bull's-Eye Model is a prioritization method for complex information security

transformation programs. It emphasizes a systemic, rather than individual-issue,
approach to improving security. The model uses a four-layer structure:
INFORMATION ASSURANCE AND SECURITY 1

Policies: This is the outermost layer, forming the foundation for all other security
components. Sound information security policies define what the organization is
seeking to accomplish and create rules for all systems' use.

Networks: This layer addresses network security, which has become increasingly
crucial due to the rise of internet-based threats. A successful DMZ (demilitarized
zone) is essential for protecting networks from external threats.

Systems: As organizations grow, the number and complexity of their systems

increase, making secure management more challenging. This tier includes servers,
desktop computers, and systems for process control and manufacturing.
INFORMATION ASSURANCE AND SECURITY 1

Applications: This layer includes application software, such as office automation

and email programs, as well as enterprise resource planning (ERP) packages.
Packaged software and custom applications are included here. Attention should
be paid to the most critical applications first.
INFORMATION ASSURANCE AND SECURITY 1

It's not mandatory for every organization to have its own information security
department or program. Outsourcing part or all of an organization's information
security functions is an option, particularly for smaller businesses that may lack
the resources or expertise to handle these tasks in-house. Outsourcing commonly
includes security audits, penetration testing, and network monitoring.
INFORMATION ASSURANCE AND SECURITY 1

This is a complex process used to manage the installation, innovation, updates,

and obsolescence of technology within an organization. Effective technology
governance facilitates cross-organizational dialogue and helps to deal with
technological advancements and concerns. A change control method is used to
improve communication, coordination, and reduce unintended consequences of
changes.
INFORMATION ASSURANCE AND SECURITY 1

Information security implementation involves nontechnical aspects concerning the

human interface with technical systems and the organizational culture. Businesses
undergoing change need to consider the impact on employees and adapt their
management accordingly.
INFORMATION ASSURANCE AND SECURITY 1

Change, whether instinctive or deliberate, can cause resistance from employees.

Effective change management involves understanding and addressing this
resistance. Project managers can reduce the likelihood of errors and
vulnerabilities by promoting resilience to change and adopting change
management techniques. The fundamental principle is recognizing that
organizations have cultures that influence how they react to change.
INFORMATION ASSURANCE AND SECURITY 1

Making a company more adaptable to change requires steps to lessen resistance

at the start of the planning process. These procedures help organization members
become more adaptable as changes occur. The goal is to make the change
process smoother and more readily accepted.
INFORMATION ASSURANCE AND SECURITY 1

The ease of adopting procedural and management changes depends on the level
of deeply ingrained old procedures and behaviors. To improve the acceptance of
information security enhancements, communication is crucial. A three-step
process is recommended:
INFORMATION ASSURANCE AND SECURITY 1

Communication: Inform employees early and often about the new security process
and solicit their input. Continuous updates are essential to prevent the change
from becoming a last-minute surprise.

Information and Education: Educate employees about the proposed changes and
their individual impact. Share details as they emerge, and provide high-quality
training.

Employee Participation: Involve employees in the project plan, including them in

the development process. A liaison between IT implementers and the general
public can help address unforeseen issues.
INFORMATION ASSURANCE AND SECURITY 1

The critical need for organizations to foster a culture that readily adapts to
change. Effective leadership, clear communication, and dedicated project
champions are highlighted as essential for successful transformations. Resistance
to change is identified as a significant obstacle to effective management and
project completion.
INFORMATION ASSURANCE AND SECURITY 1

A crucial distinction is made between certification and accreditation of IT

systems. Accreditation grants authorization for an IT system to handle sensitive
data, while certification verifies that the system meets specific security
requirements. Both processes are cyclical, requiring regular reevaluation and
renewal to maintain compliance.
INFORMATION ASSURANCE AND SECURITY 1

refers to any information that is owned, produced, or controlled by the

government and is deemed critical to the national defense, safety, and security of
a country. This information is often classified to prevent unauthorized access and
potential harm to national interests.
INFORMATION ASSURANCE AND SECURITY 1

The ease of adopting procedural and management changes depends on the level
of deeply ingrained old procedures and behaviors. To improve the acceptance of
information security enhancements, communication is crucial. A three-step
process is recommended:
INFORMATION ASSURANCE AND SECURITY 1

refers to any information system or network that is integral to the security,

defense, and intelligence operations of a nation. These systems support the
functions required to protect the country from internal and external threats,
ensure national defense, and maintain critical operations.
INFORMATION ASSURANCE AND SECURITY 1

is a structured process used to identify, assess, mitigate, and monitor risks to an

organization's information systems and operations. It is widely adopted in
industries like cybersecurity, finance, and government to ensure systems remain
secure and compliant with regulations.
INFORMATION ASSURANCE AND SECURITY 1

Tier 1: Organizational - Focus: This tier establishes the overall organizational

strategy for risk management. It sets the tone, defines policies, and provides the
high-level guidance that informs all subsequent risk management activities.

Tier 2: Mission - Focus: This tier focuses on aligning risk management with the
organization's mission and business objectives. It considers how risks might
impact the achievement of mission goals and operational effectiveness.

Tier 3: Information System - Focus: This tier is where the actual risk assessment
and control implementation take place at the individual information system level.
INFORMATION ASSURANCE AND SECURITY 1

1. Categorize: Classify the system and data based on impact.

2. Select: Choose baseline security controls.
3. Implement: Put controls in place.
4. Assess: Evaluate the effectiveness of the controls.
5. Authorize: Approve system operation based on risk assessment.
6. Monitor: Continuously monitor and assess security controls.
INFORMATION ASSURANCE AND SECURITY 1

National security interest systems utilize their own security C&A criteria, following
"NSTISS Instruction 1000: National Information Assurance Certification and
Accreditation Process (NIACAP)" guidelines. It's described as a document from the
National Security Agency (NSA) and the Committee on National Systems Security
(CNSS), formerly known as the National Computer Security Center.
INFORMATION ASSURANCE AND SECURITY 1

NIACAP establishes a process for certifying and accrediting national security

systems. It ensures that systems maintain an approved security posture
throughout their lifecycle.
INFORMATION ASSURANCE AND SECURITY 1

The process involves several key roles: the IS program manager, Designated
Approving Authority (DAA), certification agent (certifier), and user representative.
These individuals are crucial for scheduling, budgeting, security, functionality, and
performance aspects. The DAA is also the accreditor.
INFORMATION ASSURANCE AND SECURITY 1

The SSAA is a legally binding document that outlines the C&A process's outcomes.
It's designed to be flexible and adaptable. The SSAA becomes the baseline
security configuration document after accreditation.
INFORMATION ASSURANCE AND SECURITY 1

The SSAA includes descriptions of the operating environment, security

architecture, system boundaries, the formal agreement among key personnel, and
all requirements for accreditation. It streamlines documentation by consolidating
applicable information.
INFORMATION ASSURANCE AND SECURITY 1

Phase 1: Definition
- Goal: To define the security measures, level of effort, resource requirements,
and boundaries (C&A border) needed for certification and accreditation. This
phase establishes the scope and plan for the entire process.

Key Activities: This involves defining security requirements, agreeing on the level
of effort, and determining the resources needed. The System Security
Authorization Agreement (SSAA) is drafted in this phase.
INFORMATION ASSURANCE AND SECURITY 1

Phase 2: Verification

Goal: To ensure that the system being certified complies with the requirements
outlined in the SSAA. This phase verifies that the emerging or updated system
meets the established security standards.

Key Activities: This involves various verification activities to confirm that the
system meets the defined security requirements.
INFORMATION ASSURANCE AND SECURITY 1

Phase 3: Validation

Goal: To confirm that the fully integrated system complies with the SSAA's
security policy and criteria. This phase determines whether the system is ready for
operation.

Key Activities: This phase focuses on gathering evidence to support the DAA's
judgment about whether to approve the system's operation (accreditation) or
grant interim approval.
INFORMATION ASSURANCE AND SECURITY 1

Phase 4 of NIACAP, Post-Accreditation, focuses on maintaining the system's

security posture after it has been certified and accredited for operation.

Phase 4 emphasizes the importance of continuous monitoring, maintenance, and

adaptation to maintain the security of the system after the initial certification and
accreditation process is complete.
INFORMATION ASSURANCE AND SECURITY 1

Phase 1: Definition
- Goal: To define the security measures, level of effort, resource requirements,
and boundaries (C&A border) needed for certification and accreditation. This
phase establishes the scope and plan for the entire process.

Key Activities: This involves defining security requirements, agreeing on the level
of effort, and determining the resources needed. The System Security
Authorization Agreement (SSAA) is drafted in this phase.
INFORMATION ASSURANCE AND SECURITY 1

Phase 1: Definition
- Goal: To define the security measures, level of effort, resource requirements,
and boundaries (C&A border) needed for certification and accreditation. This
phase establishes the scope and plan for the entire process.

Key Activities: This involves defining security requirements, agreeing on the level
of effort, and determining the resources needed. The System Security
Authorization Agreement (SSAA) is drafted in this phase.