SECURITY IN COMPUTING FIETH EDITION Chapter 7: Management and Incidents 授课教师:高海波 可南中医药大学 信息管理与信息系统教研室 From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
SECURITY IN COMPUTING, FIFTH EDITION Chapter 7: Management and Incidents From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 1 授课教师:高海波 河南中医药大学 信息管理与信息系统教研室
2 Chapter 7 Objectives Study the contents of a good security plan Learn to plan for business continuity and responding to incidents Outline the steps and best practices of risk analysis Learn to prepare for natural and human-caused disasters From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Chapter 7 Objectives • Study the contents of a good security plan • Learn to plan for business continuity and responding to incidents • Outline the steps and best practices of risk analysis • Learn to prepare for natural and human-caused disasters 2 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
3 Contents of a Security Plan Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those g oa lIs Current state, describing the status of security at the time of the plan Requirements, recommending ways to meet the security goals Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements Accountability, documenting who is responsible for each security activity Timetable, identifying when different security functions are to be done Maintenance, specifying a structure for periodically updating the security plan From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Contents of a Security Plan • Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals • Current state, describing the status of security at the time of the plan • Requirements, recommending ways to meet the security goals • Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements • Accountability, documenting who is responsible for each security activity • Timetable, identifying when different security functions are to be done • Maintenance, specifying a structure for periodically updating the security plan 3 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Policy A high-level statement of purpose and intent Answers three essential questions Who should be allowed access? To what system and organizational resources should access be allowed? What types of access should each user be allowed for each resource? Should specify The organizations security goals(e. g, define whether reliable service is a higher priority than preventing infiltration Where the responsibility for security lies(e.g, the security group or the user) The organizations commitment to security(e.g, defines where the security group fits in the corporate structure From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Policy • A high-level statement of purpose and intent • Answers three essential questions: • Who should be allowed access? • To what system and organizational resources should access be allowed? • What types of access should each user be allowed for each resource? • Should specify • The organization’s security goals (e.g., define whether reliable service is a higher priority than preventing infiltration) • Where the responsibility for security lies (e.g., the security group or the user) • The organization’s commitment to security (e.g., defines where the security group fits in the corporate structure) 4 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
5 Assessment of Current Security Status A risk analysis-a systemic investigation of the system, its environment, and what might go wrong-forms the basis for describing the current security state Defines the limits of responsibility for security Which assets are to be protected Who is responsible for protecting them Who is excluded from responsibility Boundaries of responsibility From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Assessment of Current Security Status • A risk analysis—a systemic investigation of the system, its environment, and what might go wrong—forms the basis for describing the current security state • Defines the limits of responsibility for security • Which assets are to be protected • Who is responsible for protecting them • Who is excluded from responsibility • Boundaries of responsibility 5 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
6 Security Requirements Security requirements are functional or performance demands placed on a system to ensure a desired level of security Usually derived from organizational business needs sometimes including compliance with mandates imposed from outside, such as government standards Characteristics of good security requirements Correctness Consistency Completeness Realism Need Verifiability Traceability From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Requirements • Security requirements are functional or performance demands placed on a system to ensure a desired level of security • Usually derived from organizational business needs, sometimes including compliance with mandates imposed from outside, such as government standards • Characteristics of good security requirements: • Correctness • Consistency • Completeness • Realism • Need • Verifiability • Traceability 6 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
7 Inputs to the Security Plan Security policies (Constraints) Requirements -> Security Planning Security plan Process Security Techniques and controls (Mechanisms) From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Inputs to the Security Plan 7 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
8 Responsibility for Implementation A section of the security plan will identify which people(roles)are responsible for implementing security requirements Common roles Users of personal computers or other devices may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security Project leaders may be responsible for the security of data and computations Managers may be responsible for seeing that the people they supervise implement security measures Database administrators may be responsible for the access to and integrity of data in their databases Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data Personnel staff members may be responsible for security involving employees for example, screening potential employees for trustworthiness and arranging security training programs From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Responsibility for Implementation • A section of the security plan will identify which people (roles) are responsible for implementing security requirements • Common roles: • Users of personal computers or other devices may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security. • Project leaders may be responsible for the security of data and computations. • Managers may be responsible for seeing that the people they supervise implement security measures. • Database administrators may be responsible for the access to and integrity of data in their databases. • Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data. • Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs. 8 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
9 Timetable and plan maintenance As a security plan cannot be implemented instantly, the plan should include a timetable of how and when the elements in it will be performed The plan should specify the order in which controls are to be implemented so that the most serious exposures are covered as soon as possible The plan must be extensible, as new equipment will be acquired, new connectivity requested, and new threats identified The plan must include procedures for change and growth The plan must include a schedule for periodic review From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Timetable and Plan Maintenance • As a security plan cannot be implemented instantly, the plan should include a timetable of how and when the elements in it will be performed • The plan should specify the order in which controls are to be implemented so that the most serious exposures are covered as soon as possible • The plan must be extensible, as new equipment will be acquired, new connectivity requested, and new threats identified • The plan must include procedures for change and growth • The plan must include a schedule for periodic review 9 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Planning Team Members Security planning touches every aspect of an organization and therefore requires participation well beyond the security group Common security planning representation Computer hardware group System administrators Systems programmers Applications programmers Data entry personnel Physical security personnel Representative users From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Planning Team Members • Security planning touches every aspect of an organization and therefore requires participation well beyond the security group • Common security planning representation: • Computer hardware group • System administrators • Systems programmers • Applications programmers • Data entry personnel • Physical security personnel • Representative users 10 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved