Chapter 2
Fundamentals of
Information Systems Security
   Objectives
    ● Understand fundamental concepts of Security
    ● Be able to analyze the principles of information Systems
      security.
    ● Be able to analyze the types of security controls.
    ● Understand what Policies, Standards and Procedures are
    ● Understand How to Plan , design, Implement and
      Administer Secured Systems
    ● Explain Information Systems Security Program
      Assessment Metrics
10/10/2023           Chapter 2 Fundamentals of Information Systems Security   2
   IS Security Fundamentals
    ● Information Security is a Process
         ○ Bruce Schneier, one of the world’s well-known experts on
           security, once wrote that “security is a process, not a
           product.”
         ○ Indeed, with all the changing variables and players, security
          is a never-ending evolutionary process, wherein defenses
          change in response to new threats and new threats emerge
          with the introduction of new systems and defenses.
10/10/2023                Chapter 2 Fundamentals of Information Systems Security   3
   Principles of Information Security
    ● Information security deals with three basic
      issues: the confidentiality, integrity, and
      availability of information.
    ● All of the principles, standards, and mechanisms you
      will encounter are dedicated to these three abstract
      but fundamental goals of Security, also referred to
      as the C-I-A triad or information security triad.
10/10/2023         Chapter 2 Fundamentals of Information Systems Security   4
   Principles Cont’d…
    ● The following are some of the major principles of Information Security
         ○ Principles of least privilege,
         ○ Defense in Depth
         ○ Minimization
         ○ Compartmentalization.
         ○ Keep Things Simple
         ○ Fail Securely
         ○ Cost-Benefit Analysis
         ○ Secure the weakest link
10/10/2023                     Chapter 2 Fundamentals of Information Systems Security   5
       Least Privilege
   ● The principle of least privilege stipulates, “Do not give any more
     privileges than absolutely necessary to do the required job”.
   ● The principle of least privilege is a preventive control, because it
     reduces the number of privileges that may be potentially abused
     and therefore limits the potential damage.
   ● Examples
         ○ Giving users read only access to shared files if that’s what they
           need, and making sure write access is disabled
         ○ Not allowing help desk staff to create or delete user accounts if all
           that they may have to do is to reset a password
         ○ Not allowing software developers to move software from
           development servers to production servers
10/10/2023                  Chapter 2 Fundamentals of Information Systems Security   6
   Defense in depth
    ● The principle of defense in depth is about having more than one layer or
      type of defense. The reasoning behind this principle is that any one layer
      or type of defense may be breached, no matter how strong and reliable
      you think it is.
    ● But two or more layers are much more difficult to breach.
    ● Defense in depth works best when you combine two or more different
      types of defense mechanisms—such as using a firewall between the
      Internet and your LAN, plus the IP Security Architecture (IPSEC) to encrypt
      all sensitive traffic on the LAN.
    ● In this scenario, even if your firewall is compromised, the attackers still
      have to break IP Security to get to your data flowing across the LAN.
10/10/2023                Chapter 2 Fundamentals of Information Systems Security    7
   Minimization
   ● The minimization principle is similar to the least privilege principle
     and mostly applies to system configuration instead of the user
     privileges.
   ● The minimization principle says “do not run any software,
     applications, or services that are not strictly required to do the
     entrusted job.”
   ● To illustrate, a computer whose only function is to serve as an e-mail
     server should have only e-mail server software installed and enabled.
   ● All other services and protocols should either be disabled or not
     installed at all to eliminate any possibility of compromise or misuse.
10/10/2023              Chapter 2 Fundamentals of Information Systems Security   8
   Compartmentalization
    ● Compartmentalization, or the use of compartments (also known as
      zones, jails, sandboxes, and virtual areas), is a principle that limits
      the damage and protects other compartments when software in
      one compartment has malfunctioned or compromised.
    ● Applications run in different compartments are isolated from each
      other.
    ● In such a setup, the compromise of web server software, for
      example, does not take down or affect e-mail server software
      running on the same system but in a separate compartment.
         ○ From the Concept of Compartments in large Ships
10/10/2023                 Chapter 2 Fundamentals of Information Systems Security   9
   Keep things simple
    ● Complexity is the worst enemy of security. Complex
      systems are inherently more insecure because they are
      difficult to design, implement, test, and secure.
    ● The more complex a system is, the less assurance we
      may have that it will function as expected.
    ● Security doesn’t work by obscurity(hiding).
10/10/2023          Chapter 2 Fundamentals of Information Systems Security   10
   Fail Securely
    ● Although fail securely may sound like an oxymoron, it isn’t. Failing
      securely means that if a security measure or control has failed for
      whatever reason, the system should not be rendered to an insecure
      state.
    ● For example, when a firewall fails, it should default to a “deny all” rule,
      not a “permit all.”
    ● However, fail securely does not mean “close everything” in all cases; if
      we are talking about a computer-controlled building access control
      system, for example, in case of a fire it should default to “open doors”
      to help trapped in humans get out of the building.
    ● Main Objective is to secure even when in a failed state.
10/10/2023                 Chapter 2 Fundamentals of Information Systems Security   11
  Cost-Benefit Analysis
    ● Although not strictly a principle, the cost-benefit analysis is a
         must when considering implementation of any security
         measure.
    ● It says that the overall benefits received from a particular
         security control or mechanism should clearly exceed its total
         costs; i.e The value of the Information protected should be
         more than the cost we incur to protect it; otherwise,
         implementing the security control would make no sense.
    ● This may sound like simple common sense, and it probably is;
         nevertheless, this is an important and often overlooked
         concern
10/10/2023                 Chapter 2 Fundamentals of Information Systems Security   12
   Secure the Weakest link
   ● For people new to information security, many information
     security principles and approaches may sound like a little
     more than common sense.
   ● Although that may well be the case, it doesn’t help us much,
     because very often we still fail to act with common sense.
   ● The principle of securing the weakest link is one such case:
     look around and you will likely see a situation in which instead
     of securing the weakest link, whatever it may be, resources
     are spent on reinforcing the already adequate defenses.
10/10/2023            Chapter 2 Fundamentals of Information Systems Security   13
        Types of IS Security Controls
  ● Central to information security is the concept of controls, which may
    be categorized
  ● By their functionality
     ○ Preventive, Detective, Corrective, Deterrent, Recovery, and
       Compensating, in this order
  ● By the Plan of application
      ○ Physical: Controls that are physically present in the “real world”
      ○ Administrative: Controls defined and enforced by management
      ○ Logical/Technical: Technology controls performed by machines
      ○ Operational: Controls that are performed in person by people
         ○ Virtual: Controls that are triggered dynamically when certain
10/10/2023                  Chapter 2 Fundamentals of Information Systems Security
           circumstances arise.                                                      14
     Examples of Security Controls ….
                                   Physical      Administrative      Logical/Technical               Operational                Virtual
Preventative                       Locks         Separation          Firewalls, Intrusion            Guards on station          Dynamic
                                                 &Rotation of        Prevention System                                          access lists
                                                 duties,             (IPS),Authentication
                                                 Security Procedures
Detective                          Cameras                           Intrusion Detection System      Guards patrolling
                                                                     (IDS),
                                                                     Logging,
                                                                     Security Information and
                                                                     Event Management (SIEM),
                                                                     cryptographic checksums,
Deterrent                          Signs,        Security policies   Warning messages                Visible guards and         Dynamic
                                   barbed wire                                                       cameras                    pop-up
                                                                                                                                warnings
Corrective                                       HR penalties        Redundancy
Recovery                                                             Backups, data replication        Disaster recovery plans
Compensative                                                         Manual processes
  10/10/2023                                         Chapter 2 Fundamentals of Information Systems Security                                    15
   Types of Controls by Functionality- Preventive
   ○Preventive controls try to prevent security
    violations and enforce access control
   ● Like other controls, preventive controls may be
     physical, administrative, or technical: doors, security
     procedures, and authentication requirements are
     examples of physical, administrative, and technical
     preventive controls, respectively.
10/10/2023          Chapter 2 Fundamentals of Information Systems Security   16
   Types of Controls -Detective
 ● Detective controls are in place to detect security
   violations and alert the defenders. They come into play
   when preventive controls have failed or have been
   circumvented and these controls are no less crucial
   than preventive controls.
 ● Detective controls include cryptographic checksums,
   file integrity checkers, audit trails and logs, and similar
   mechanisms.But, how do you know if you are being
     passively attacked? say by a spyware.
10/10/2023           Chapter 2 Fundamentals of Information Systems Security   17
   Types of Controls -Corrective
    ● Corrective controls try to correct the situation after
      a security violation has occurred. Although a
      violation has occurred, not all is lost, so it makes
      sense to try and fix the situation.
    ● Corrective controls vary widely, depending on the
      area being targeted, and they may be technical or
      administrative in nature.
         ○ What will you do if you lost a key to your Data center?
10/10/2023              Chapter 2 Fundamentals of Information Systems Security   18
   Types of Controls - Deterrent
    ● Deterrent controls are intended to discourage
      potential attackers and send the message that it
      is better not to attack, but even if you decide to
      attack we are able to defend ourselves.
    ● Examples of deterrent controls include notices
      of monitoring and logging as well as the visible
      practice of sound information security
      management.
10/10/2023         Chapter 2 Fundamentals of Information Systems Security   19
  Types of Controls-Recovery
   ● Recovery controls are somewhat like corrective
     controls, but they are applied in more serious
     situations to recover from security violations and
     restore information and information processing
     resources.
   ● Recovery controls may include disaster recovery
     and business continuity mechanisms, data
     backup      systems     and,   emergency       key
     management arrangements … etc.
           ○ Eg Cockpit Lockouts –this caused fatal accident in France
             Air
10/10/2023                Chapter 2 Fundamentals of Information Systems Security   20
   Types of Controls- Compensating
    ● Compensating controls are intended to be
      alternative arrangements for other controls
    ● Used when the original controls have failed or
      cannot be used.
    ● When a second set of controls address the same
      threats that are addressed by another set of
      controls, the second set of controls are
      compensating controls
10/10/2023        Chapter 2 Fundamentals of Information Systems Security   21
   Access Control Models
   ● Logical access control models are the abstract foundations upon
     which actual computer based access control mechanisms and
     systems are built. Access control is among the most important
     Concepts in Computer Security. (as is policy in Information Security).
   ● Access control models define  how computers enforce
        access of subjects (such as users, other computers,
        applications, and so on) to objects (such as
        computers, files, directories, applications, servers,
        printers, and devices).
10/10/2023              Chapter 2 Fundamentals of Information Systems Security   22
   Types of Access Control Models
    ● Four main access control models exist:
             ○ The Discretionary access control model(DAC).
             ○ The Mandatory Access Control Model(MAC).
             ○ The Role-based Access Control Model(RBAC).
             ○ The Rule-based Role-Based Access Control
               Model (RB-RBACK).
10/10/2023               Chapter 2 Fundamentals of Information Systems Security   23
       Discretionary Access Control (DAC)
   ● The discretionary access control model is the most widely used of the
     three models.
   ● Controls access based on the identity of the requestor and on
     access rules (authorizations) stating what requestors are (or are not)
     allowed to do.
   ● In the DAC model, the owner (creator) of information (file or directory)
     has the discretion to decide about and set access control restrictions
     on the object in question.
   ● The ability to share resources in a peer-to-peer configuration allows
     users to control and possibly provide access to information or resources
     at their disposal.
10/10/2023               Chapter 2 Fundamentals of Information Systems Security   24
   Mandatory Access Control
   ●    Mandatory access control, as its name suggests, takes a stricter approach to
        access control.
   ●    Controls access based on comparing security labels (which indicate how
        sensitive or critical system resources are- classification levels) with security
        clearance levels (which indicate which system entities are eligible to access
        certain resources)
   ●    Users have little or no discretion as to what access permissions they can
        set on their information.
   ●    MAC-based systems use data classification levels (such as public, confidential,
        secret, and top secret) and security clearance levels corresponding to data
        classification levels to decide what access control restrictions to enforce
   ●    This Model works in accordance with the system wide security policy set
        by the system administrator.
   ●    Data has a classification Level and Users have a Clearance Level.
10/10/2023                   Chapter 2 Fundamentals of Information Systems Security        25
   Role-Based Access Control (RBAC)
   ●    Controls access based on the roles that users have within the system and on
        rules stating what accesses are allowed to users in a given role.
   ●    In the role-based access control model, rights and permissions are assigned to
        roles instead of individual users.
       ○     This added layer of abstraction permits easier and more flexible
             administration and enforcement of access controls.
   ●    For example, access to marketing files may be restricted to the marketing
        manager role only, and users Solomon, David, and Ali may be assigned the role of
        marketing manager.
       ○   Later, when a users moves from the marketing department to elsewhere, it
           is enough to revoke his role of marketing manager; no other changes would
           be required.
   ●    When you apply this approach to an organization with thousands of employees
        and hundreds of roles, you can see the added security and convenience of using
        RBAC.
10/10/2023                       Chapter 2 Fundamentals of Information Systems Security    26
   Rule-Based Access Control (RB-RBAC)
       ● Rule Based Access Control, also with the acronym RBAC or RB-
         RBAC.
       ● Rule Based Access Control will dynamically assign roles to users
         based on criteria defined by the custodian or system administrator.
       ● For example, if someone is only allowed access to files during
         certain hours of the day, Rule Based Access Control would be the
         tool of choice.
       ● The additional “rules” of Rule Based Access Control requiring
         implementation may need to be “programmed” into the network
         by the custodian or system administrator in the form of code
         versus “checking the box.”
10/10/2023                Chapter 2 Fundamentals of Information Systems Security   27
     Centralized vs. Decentralized Access Control
    ● Further distinction should be made between centralized
      and decentralized (distributed) access control models.
    ● In environments with centralized access control, a single,
      central entity makes access control decisions and
      manages the access control system;
    ● Whereas in distributed access control environments, these
      decisions are made and enforced in a decentralized
      manner. ( with multiple access control monitoring
        servers)
10/10/2023           Chapter 2 Fundamentals of Information Systems Security   28
   IS Security: Policies, Standards and Procedures
    ● A policy is a high-level statement of enterprise beliefs,
      goals and the general means for their attainment
    ● Standards are mandatory requirements that support
      individual policies
    ● Procedures are mandatory step-by-step, detailed
      actions required to complete a task successfully.
    ● Guidelines are similar to standards but are not
      mandatory.
10/10/2023           Chapter 2 Fundamentals of Information Systems Security   29
   Policy
    ● Driven by business objectives and convey the
      amount of risk senior management is willing to
      accept.
    ● Easily accessible and understood by the intended
      reader
    ● Created with the intent to be in place for several
      years and regularly reviewed with approved
        changes made as needed.
10/10/2023          Chapter 2 Fundamentals of Information Systems Security   30
   Standards
    ● Used to indicate expected user behavior.
         ○ For example, a consistent company email signature.
    ● Might specify what hardware and software solutions are
      available and supported.
    ● Compulsory and must be enforced to be effective. (This also
      applies to policies!)
         ○ Standards refer to mandatory activities, actions, rules, or regulations.
         ○ Standards can give directions on how a policy is supported and
           reinforced
10/10/2023                  Chapter 2 Fundamentals of Information Systems Security    31
   Procedures
    ● Often act as the “cookbook” for staff to consult to
      accomplish a repeatable process.
    ● Detailed enough and yet not too difficult that only
      a small group (or a single person) will understand.
    ● Installing operating systems, performing a system
      backup, granting access rights to a system and
      setting up new user accounts are all example of
      procedures
10/10/2023         Chapter 2 Fundamentals of Information Systems Security   32
   Guidelines Vs Best Practices Vs Baselines
    ● Guidelines are recommendations to users when specific standards do
      not apply.
   ● Best Practices: When there are no specific procedures / guidelines to use,
      organizations can use Industry Best Practice, which are security efforts that
      are among the best in the industry, balancing the need for access to
      information with adequate protection.
   ● Baselines: A baseline can refer to a point in time that is used as a
      comparison for future changes and results in a consistent reference point.
      ○      Baselines are also used to define the minimum level of protection that is required
      ○      Once risks have been mitigated, and security put in place, a baseline is formally
             reviewed and agreed upon, after which all further comparisons and development
             are measured against it
10/10/2023                      Chapter 2 Fundamentals of Information Systems Security            33
   Policy and Procedure Cont’d…
        The objective of an information security is to protect the integrity,
        confidentiality and availability of the information
        An information protection program should be part of an overall asset
        protection program
        Information security policies, standards and procedures enable
        organizations to
            Ensure that their security policies are properly addressed
            Every employee knows what s/he needs to do to insure the information
             security of the company
            Similar response is given for every problem- Consistency in handling an
             issue.
10/10/2023                     Chapter 2 Fundamentals of Information Systems Security   34
   Policy, Standards and procedures…..
10/10/2023        Chapter 2 Fundamentals of Information Systems Security   35
   The linkage-putting it altogether – with an Example
    ● A policy might state that access to confidential data must be
      audited.
    ● A supporting guideline(Standards) could further explain that
      audits should contain sufficient information to allow for
      reconciliation with prior reviews. May also indicate
      acceptable/supported logging technologies
    ● Supporting procedures would outline the necessary steps to
      configure, implement, and maintain this type of auditing.
    ● Policies are strategic(long term) while standards, guidelines and
      procedures are tactical(medium term).
10/10/2023              Chapter 2 Fundamentals of Information Systems Security   36
   Developing policies: A good policy should
         Be Easy to understand (By all people who will have to read the policy)
         Be Applicable (Don’t copy others’ policy word by word since it may not be applicable to you)
         Be Do-able (The restrictions should not stop work!)
         Be Enforceable (If it cannot be enforced, it will probably remain on paper)
         Be Phased in (Organizations need time to digest policy)
         Be Proactive (Say “what is allowed” rather than “what is not allowed”)
             ○ Organizations think:
               ■ Anything that is not permitted is prohibited
             ○ User think:
               ■ Anything that is not prohibited is permitted
10/10/2023                        Chapter 2 Fundamentals of Information Systems Security                37
   A Good Policy Cont’d…
        Avoid absolutism (Be diplomatic)
        Meet business objectives
         Must balance Access and Security.
         Should lower the security risks to a level acceptable by the organization
             without hampering the work of the organization to an unacceptable level
10/10/2023                     Chapter 2 Fundamentals of Information Systems Security   38
   Types of Policies (based on the purposes they serve)
        Regulatory: This type of policy ensures that the organization is
        following standards set by specific industry regulations
        Advisory: This type of policy strongly advises employees
        regarding which types of behaviors and activities should and
        should not take place within the organization
        Informative: This type of policy informs employees of certain
        topics. It is not an enforceable policy, rather one to teach
        individuals about specific issues relevant to the company.
10/10/2023               Chapter 2 Fundamentals of Information Systems Security   39
   Developing security policies: There are three types (Tiers) of
   security policies - layers
        Global policies (Tier 1)
                Used to create the organization’s overall vision and direction
                An enterprise information security policy (EISP)
        Topic specific policies (Tier 2)
                Address particular subject of concern
                The issue-specific security policy, or ISSP
                   Ex. Antivirus, E-mail, Webserver….
        Application-specific policies (Tier 3)
                Decisions taken by management to control particular applications
                System-specific security policies (SysSPs)
                   Ex. Accounting system, HR System , Supply Chain Management System… etc.
10/10/2023                            Chapter 2 Fundamentals of Information Systems Security   40
   Information Classification Policy- an Example
         Why classify?
         Among the information available in the enterprise there are (approx.)
                10% confidential information
                80% internal use information
                10% public information
         It would be a big waste of resources to give the same level of security for
             all the information we have
         You don’t put everything you own in a safe place!
         What is a confidential information
         Information, if disclosed, could
                Violate privacy of individuals
                Reduce company’s competitive advantage
                Cause damage to the organization
10/10/2023                       Chapter 2 Fundamentals of Information Systems Security   41
             Information Classification cont’d…
         Many organizations classify information into different
         classes of security
         Part of the asset classification policy
         An information or asset classification process is a
         business decision process
         Examples of Information Classification
         Top Secret, Confidential, Restricted, Internal Use, Public
         Company confidential Red, Company confidential Yellow,
             Company confidential Green, Company Public
10/10/2023                Chapter 2 Fundamentals of Information Systems Security   42
   Information Classification cont’d…
        How to develop classification levels (standards)
         Discuss with other organizations’ specialists and learn from their
             experiences
         Discuss with the management of your organization
         Prepare a draft and discuss it with the management
         Avoid the temptation of having too many levels
        The information classification policy
                  Defines    the department’s policy with regards to
             classification, declassification and reclassification of information
10/10/2023                   Chapter 2 Fundamentals of Information Systems Security   43
   Developing standards
        Standards define what is to be accomplished in specific terms
                                           insure some quality of
        Every industry has standards that try to
        product or service, or enable interoperability
        Many Industry Standards have information security issues
            Ex. Banking, Healthcare
        Some of the standards become national regulations and organizations will
        have to follow that(National Standards)
        Organizations can also develop their own standards (enterprise standards)
        Standards are easier to update than global policies
        Standards have to be reviewed regularly (every year for example)
10/10/2023                   Chapter 2 Fundamentals of Information Systems Security   44
   Developing standards cont’d…
        Standards must be
         Reasonable
         Flexible
         Current
         Practical
         Applicable
         Reviewed regularly
        Standards should enable the enterprise to fulfill its
        business objectives while minimizing the security risks
10/10/2023              Chapter 2 Fundamentals of Information Systems Security   45
             Developing Procedures
         Developing a procedure should be faster than developing a policy since it does not need
         to be approved by management
         The best way to write a procedure is to use a technical writer (different from the subject
         matter expert – SME)
         Procedure writing process (what is procedure ?)
            Interview with the SME
            Preparation of a draft
            Review of the draft by the SME
            Update of the procedures based on the comments
            Final review by SME
            Update of the procedures based on the comments
            Testing of the procedures
            Publishing of the procedures
         The procedures should also be reviewed regularly
         How about Practices?, How do they help in security? What does “Best Practices” mean?
10/10/2023                            Chapter 2 Fundamentals of Information Systems Security          46
  Security Education, Training, and Awareness (SETA) program
        The Defined Policies, Standards and Procedures will not serve the
        purpose if not communicated to the people (an important component in
        IS)
        Generally, a Security Education, Training, and Awareness (SETA) program
        is desirable in an organization. SETA program includes:
       Security Education is a long-term insight as to why security is
             important.
       Security Training is a midrange plan to transfer knowledge and skill of
             how security can be achieved.
       Security Awareness is a short-term exposure to what security
             information is available.
10/10/2023                      Chapter 2 Fundamentals of Information Systems Security   47
   Benefits of performing a SETA program
    ● Improving awareness of the need to protect
        system resources
    ● Developing skills and knowledge so computer
        users can perform their jobs more securely.
    ● Building in-depth knowledge, as needed, to
        design, implement, or operate security programs
        for organizations and systems.
10/10/2023           Chapter 2 Fundamentals of Information Systems Security   48
   SETA Program Summary
10/10/2023         Chapter 2 Fundamentals of Information Systems Security   49
   IS Security Governance Structure
    ● Governance of Information security is a part of
      Information Systems Governance
    ● Introduces a new position under the CIO ( head
      of the IS Department).
    ● CISO- Chief Information Security Officer
             ○ Is the head of Information Security in an
               organization.
10/10/2023               Chapter 2 Fundamentals of Information Systems Security   50
   The CIO (Chief Information Officer)
    ● The changing role of the ISD highlights the fact that the CIO is
      becoming an important member of the firm's top management
      team.
         ○ Realization of the need for IT-related disaster planning and the
           importance of IT to the firm’s activities.
         ○ Aligning IT with the business strategy
         ○ Implementing state-of-the-art solutions
         ○ Providing information access
         ○ Being a business visionary who drives business strategy
         ○ Coordinating resources
10/10/2023                Chapter 2 Fundamentals of Information Systems Security   51
   The IS Security Governance Hierarchy
  ● The Chief information security officer (CISO) has primary
    responsibility for the assessment, management, and
    implementation of information security systems in the
    organization.
  ● The CISO usually reports directly to the CIO, although in larger
    organizations it is not uncommon for one or more layers of
    management to exist between the two.
  ● However, the recommendations of the CISO to the CIO must be
    given equal, if not greater, priority than other technology and
    information-related proposals.
10/10/2023            Chapter 2 Fundamentals of Information Systems Security   52
Approaches to IS Security Program Implementation
             This is the
              Security
             Hierarchy
10/10/2023                 Chapter 2 Fundamentals of Information Systems Security   53
Security Positions – what difference did you see?
10/10/2023       Chapter 2 Fundamentals of Information Systems Security   54
   Planning, Designing, Implementing and Monitoring Secured
   systems (SecSDLC)
   ●    Information Systems are developed using a standard development approach –SDLC,
        which has set different phases.
   ●    Each of the phases of the SDLC should include consideration of the security of the
        system being assembled as well as the information it uses.
   ●    Usually security considerations are     underestimated in the Development of an
        Information System.
    ○        Security is usually perceived as a technical-only issue and common practice considers
             security requirements in isolation of the functional requirements of an information system.
   ●    The SDLC doesn’t include security considerations
   ●    Recently, there have been some organizations working on an Information Security
        Frameworks.
   ●    The well-known security framework is the C&A (Certification and Accreditation) process
        of NIST (National Institute of Standards and Technology) of USA
10/10/2023                        Chapter 2 Fundamentals of Information Systems Security                   55
   SecSDLC- Phases
   ● The same phases used in the traditional SDLC can
     be adapted to support the implementation of an
     information security project.
   ● While the two processes may differ in intent and
     specific activities, the overall methodology is the
     same. At its heart, implementing the information
     security involves identifying specific threats and
     creating specific controls to counter those threats.
   ● The SecSDLC unifies this process and makes it a
     coherent program rather than a series of random,
     seemingly unconnected actions.
   ● Other organizations use a risk management
     approach to implement information of security
     systems.
10/10/2023         Chapter 2 Fundamentals of Information Systems Security   56
   C&A: Phases/Process to secured SDLC
10/10/2023       Chapter 2 Fundamentals of Information Systems Security   57
   C&A
    ● Certification and Accreditation (C&A) is a process
      for implementing information security system.
    ● It is a systematic procedure for evaluating,
      describing, testing and authorizing systems prior to
      or after a system is in operation.
    ● The C&A process is used extensively in the U.S.
      Federal Government.
10/10/2023          Chapter 2 Fundamentals of Information Systems Security   58
   C&A: what are they?
   ● Certification is a comprehensive evaluation of the technical and non-
     technical security controls (safeguards) of an information system
   ● The evaluation supports the accreditation process and establishes the
     extent to which a particular design and implementation meets a set of
     specified security requirements.
   ● Accreditation is the formal declaration by a senior agency official
     (Designated Accrediting Authority (DAA) or Principal Accrediting
     Authority (PAA)) that an information system is approved to operate at
     an acceptable level of risk, based on the implementation of an
     approved set of technical, managerial, and procedural security
     controls (safeguards).
10/10/2023              Chapter 2 Fundamentals of Information Systems Security   59
 The Secured Systems Development Process
    ● Has five basic phases which can be aligned                                to the
      Waterfall Model/SDLC phases
         ○ Initiation Phase
         ○ Development/Acquisition
         ○ Implementation/Assessment
         ○ Operational/Maintenance
         ○ Disposal
10/10/2023             Chapter 2 Fundamentals of Information Systems Security            60
   What we do at Initiation phase
   ● During this phase, security requirements at an enterprise
     level are identified.
   ● Key activities include:
       ○     Initial delineation of business requirements in terms of
             confidentiality, integrity, and availability
       ○     Determination of information categorization and identification
             of known special handling requirements to transmit, store, or
             create information such as personally identifiable information
       ○     Determination of any privacy requirements.
10/10/2023                 Chapter 2 Fundamentals of Information Systems Security   61
   What we do at Development & Acquisition phase
    ● During this phase, technical and functional
      requirements are translated in to an actual plan for
      an information system.
    ● Key activities include:
             ○ Conduct the risk assessment and use the results to
               supplement the baseline security control
             ○ Analyze security requirements
             ○ Perform functional and security testing
10/10/2023                  Chapter 2 Fundamentals of Information Systems Security   62
   What we do at Implementation/ Assessment phase
   ● During this phase, the system will be installed and
     evaluated in the organization’s operational environment.
   ● Key activities include:
       ○     Integrate the information system into its operational
             environment
       ○     Plan and conduct system certification activities in
             synchronization with testing of security controls; and
       ○     Complete system accreditation activities
10/10/2023                Chapter 2 Fundamentals of Information Systems Security   63
   What we do at Operations/Maintenance Phase
   ● In this phase,
      ○      systems are in place and operating,
      ○      enhancements and/or modifications to the system are developed
             and tested
      ○      hardware and/or software is added or replaced.
      ○      The system is monitored for continued performance in accordance
             with security requirements and needed system modifications are
             incorporated.
      ○      The operational system is periodically assessed to determine how
             the system can be made more effective, secure, and efficient-
             remember IS security is a process- not an Absolute Result/Product
10/10/2023                  Chapter 2 Fundamentals of Information Systems Security   64
   Operations/Maintenance…
   ● Key activities include:
       ○ Configuration management and control ensures adequate
             consideration of the potential security impacts due to specific
             changes to an information system or its surrounding environment.
             ■   What kind of testing helps to avoid vulnerabilities due to change in an IS
                 Component?
       ○ Continuous monitoring—ensures that controls continue to be
             effective   in   their     application            through          periodic   testing   and
             evaluation.
10/10/2023                      Chapter 2 Fundamentals of Information Systems Security                     65
   What we do at Disposal Phase
   ● This phase is important for disposal of a
     system and closeout of any contracts in place.
   ● When information systems are transferred,
     become obsolete, or are no longer usable, it is
     important to ensure that organizational
     resources and assets are protected.
10/10/2023        Chapter 2 Fundamentals of Information Systems Security   66
   Disposal phase cont’d…
    ● Key activities include:
             ○ Build and Execute a Disposal/Transition
               Plan;
             ○ Archive of critical information-preservation;
             ○ Sanitization of media.
             ○ Disposal of hardware and software.
10/10/2023               Chapter 2 Fundamentals of Information Systems Security   67
             The SDLC
               7 -Risk management in this context refers to risk associated with the development and not computer
               security or system technical risk.
10/10/2023                          Chapter 2 Fundamentals of Information Systems Security                          68
   Security Consideration in SDLC- Summary
10/10/2023        Chapter 2 Fundamentals of Information Systems Security   69
   The Security Systems Development Life Cycle
10/10/2023             Chapter 2 Fundamentals of Information Systems Security   70
 The Security Systems Development Life Cycle Cont’d…
10/10/2023      Chapter 2 Fundamentals of Information Systems Security   71
   Information Systems Security Assessment Metrics
    ● The information security business has designed many security frameworks
      that are internationally used for assessment of systems security.
    ● These frameworks facilitate the implementation of security controls within
      an organization.
    ● Among the most popular are:
             ○ Control Objectives for Information Technology (COBIT),
             ○ ISO 27000 series of standards
             ○ Information Technology Infrastructure Library (ITIL).
             ○ Operationally Critical Threat, Asset and Vulnerability Evaluation
               (OCTAVE). – Class Discussion – next week!
10/10/2023                      Chapter 2 Fundamentals of Information Systems Security   72
   IS Security Assessment Metrics
    ● Measures and measurements are very important in order to
      assess the effectiveness of an implemented Information Security
      Management System (ISMS) and controls or groups of controls.
    ● Measures are key indicators or variables for which measurements
      must be made.
    ● Measurements are generated by counting; metrics are
      generated from the analysis on measurements.
    ● In other words, measurements are objective raw data and
      metrics are either objective or subjective human
      interpretations of the analytical output on those data.
10/10/2023             Chapter 2 Fundamentals of Information Systems Security   73
   IS Security Assessment Metrics Cont’d…
    ● According to Center for Internet Security (CIS), there can be three
      types of metrics for Information Systems Security programs.
             ○ Management: Provide information on the performance of
               business functions, and the impact on the organization
                ■ Audience: Business management
             ○ Operational: Used to understand and optimize the activities of
               business functions
                ■ Audience: Security management
             ○ Technical: Provide technical details as well as a foundation for
               other metrics.
                ■ Audience: Security operations
10/10/2023                    Chapter 2 Fundamentals of Information Systems Security   74
   IS Security Measurement Requirements
 ● The following activities are considered a basis for an organization to fulfil
     IS Security Measurement requirements.
      ○ Developing measures (i.e. base measures, derived measures and indicators).
      ○ Implementing and operating an Information Security Measurement Program.
      ○ Collecting and analyzing data.
      ○ Developing measurement results.
      ○ Communicating developed measurement results to the relevant
        stakeholders.
      ○ Using measurement results as contributing factors for future decisions
      ○ Facilitating continuous improvement of the Information Security
        Measurement Program
10/10/2023                 Chapter 2 Fundamentals of Information Systems Security    75
Key Components of Information System Security Assessment
Program- 4 Components
 ● Program Initiation: This component “identifies relevant
   stakeholders”, determines who receives the security metrics, and
   “what information they require to discharge their responsibility”.
    ○ Security Requirement identification
 ● Developing information security metrics: This is used to design the
   Security policy and the security controls.-consists of two major
   activities:
    ○ Identification and definition of the current IT security program/Policy and
    ○ Development and selection of specific metrics to measure the
      implementation, efficiency, effectiveness, and the impact of the security
      controls.
                      10/10/2023
                        Chapter 2 Fundamentals of Information Systems Security      76
   Security Assessment Program Components Cont’d…
    ● Reporting information security metrics: This component analyzes how
      information security metrics can be used to demonstrate “compliance
      with security requirements (e.g., policy and procedures),
             ○ Measure Compliance with the Security Program/Policy.
    ● Maintaining(adapting) an information security metrics program:
      Once an information security metrics program is deployed, the process is
      not over.
             ○ Continuous Monitoring and Evaluation is important so that the metrics can
               be changed with changing security environment and defense mechanism
             ○ Fine tuning the Metrics
10/10/2023                      Chapter 2 Fundamentals of Information Systems Security     77
Approaches to IS Security Program Implementation
     ● The bottom-up approach: Information security
         program can begin as a grassroots effort in
         which systems administrators attempt to
         improve the security of their systems. (at
         applications level)
     ● The top-down approach: In this case, the
         project is initiated by upper-level managers
         who issue policy, procedures and processes,
         dictate the goals and expected outcomes, and
         determine accountability
10/10/2023              IS Security - Introduction
                                                   for each required   78
Approaches to IS Security Program Implementation
10/10/2023      Chapter 2 Fundamentals of Information Systems Security   79
   Information System Security Assessment Model
10/10/2023       Chapter 2 Fundamentals of Information Systems Security   80
Info. Systems Security Assessment Model – a Digital
Library Case
                         10/10/2023                   Chapter 2 Fundamentals of Information Systems Security   81
   Info. Systems Security Assessment Model
    ● As shown in the previous slide;
       ○ The higher the position on the staircase, the more
         complete and complex is the state of the IS
         Security management.
       ○ The model works on the premise that the critical
         foundation of an Information System Security (ISS) is
         its technological infrastructure that must be in place
         first and foremost
10/10/2023            Chapter 2 Fundamentals of Information Systems Security   82