iso13335-2
Short Description
Download iso13335-2...
Description
TECHNICAL REPORT
ISO/IEC TR 13335-2 First edition 1997-12-15
Information technology — Guidelines for the management of IT Security — Part 2: Managing and planning IT Security Technologies de l'information — Lignes directrices pour le management de sécurité IT — Partie 2: Management et planning de sécurité IT
BC
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
Reference number ISO/IEC TR 13335-2:1997(E)
ISO/IEC TR 13335-2:1997(E)
Contents 1 Scope .......................................................................................................................................................................................... 1 2 Reference ................................................................................................................................................................................... 1 3 Terms and definitions ............................................................................................................................................................... 1 4 Structure .................................................................................................................................................................................... 1 5 Aim ............................................................................................................................................................................................. 1 6 Background ............................................................................................................................................................................... 1 7 Management of IT Security ..................................................................................................................................................... 2 7.1 Planning and Management Process Overview .................................................................................................................... 2 7.2 Risk Management Overview ................................................................................................................................................. 3 7.3 Implementation Overview ..................................................................................................................................................... 3 7.4 Follow-up Overview............................................................................................................................................................... 3 7.5 Integrating IT Security.......................................................................................................................................................... 3 8 Corporate IT Security Policy ................................................................................................................................................... 3 8.1 Objectives ............................................................................................................................................................................... 3 8.2 Management Commitment.................................................................................................................................................... 4 8.3 Policy Relationships ............................................................................................................................................................... 4 8.4 Corporate IT Security Policy Elements ............................................................................................................................... 4 9 Organizational Aspects of IT Security .................................................................................................................................... 5 9.1 Roles and Responsibilities ..................................................................................................................................................... 5 9.1.1 IT Security Forum .............................................................................................................................................................. 6 9.1.2 Corporate IT Security Officer ........................................................................................................................................... 7 9.1.3 IT Project Security Officer and IT System Security Officer........................................................................................... 7 9.2 Commitment ........................................................................................................................................................................... 7 9.3 Consistent Approach ............................................................................................................................................................. 7 10 Corporate Risk Analysis Strategy Options........................................................................................................................... 8 10.1 Baseline Approach ............................................................................................................................................................... 8 10.2 Informal Approach .............................................................................................................................................................. 8 10.3 Detailed Risk Analysis ......................................................................................................................................................... 9 10.4 Combined Approach............................................................................................................................................................ 9 11 IT Security Recommendations ............................................................................................................................................... 9 11.1 Safeguard Selection.............................................................................................................................................................. 9 11.2 Risk Acceptance ................................................................................................................................................................. 10 12 IT System Security Policy..................................................................................................................................................... 10 13 IT Security Plan .................................................................................................................................................................... 11 14 Implementation of Safeguards ............................................................................................................................................. 11 15 Security Awareness............................................................................................................................................................... 11 16 Follow-up ............................................................................................................................................................................... 12 16.1 Maintenance ....................................................................................................................................................................... 12 16.2 Security Compliance .......................................................................................................................................................... 13 16.3 Monitoring.......................................................................................................................................................................... 13 16.4 Incident Handling .............................................................................................................................................................. 13 17 Summary................................................................................................................................................................................ 14
© ISO/IEC 1997 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher. ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland Printed in Switzerland
ii
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
©
ISO/IEC
ISO/IEC TR 13335-2:1997(E)
Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The main task of technical committees is to prepare International Standards, but in exceptional circumstances a technical committee may propose the publication of a Technical Report of one of the following types: —
type 1, when the required support cannot be obtained for the publication of an International Standard, despite repeated efforts;
—
type 2, when the subject is still under technical development or where for any other reason there is the future but not immediate possibility of an agreement on an International Standard;
—
type 3, when a technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful. ISO/IEC TR 13335-2, which is a Technical Report of type 3, was prepared by the Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee 27, IT Security techniques. ISO/IEC TR 13335 consists of the following parts, under the general title Information technology — Guidelines for the management of IT Security: —
Part 1:
Concepts and models for IT Security
—
Part 2:
Managing and planning IT Security
—
Part 3:
Techniques for the management of IT Security
—
Part 4:
Selection of safeguards
—
Part 5:
Safeguards for external connections
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
iii
ISO/IEC TR 13335-2:1997(E)
©
ISO/IEC
Introduction The purpose of this Technical Report (ISO/IEC TR 13335) is to provide guidance, not solutions, on management aspects of IT security. Those individuals within an organization that are responsible for IT security should be able to adapt the material in this report to meet their specific needs. The main objectives of this Technical Report are: • to define and describe the concepts associated with the management of IT security, • to identify the relationships between the management of IT security and management of IT in general, • to present several models which can be used to explain IT security, and • to provide general guidance on the management of IT security. ISO/IEC TR 13335 is organized into multiple parts. Part 1 provides an overview of the fundamental concepts and models used to describe the management of IT security. This material is suitable for managers responsible for IT security and for those who are responsible for an organization’s overall security programme. Part 2 describes management and planning aspects. It is relevant to managers with responsibilities relating to an organization’s IT systems. They may be: • IT managers who are responsible for overseeing the design, implementation, testing, procurement, or operation of IT systems, or • managers who are responsible for activities that make substantial use of IT systems, • as well of course as managers responsible for IT security. Part 3 describes security techniques appropriate for use by those involved with management activities during a project lifecycle, such as planning, designing, implementing, testing, acquisition or operations. Part 4 provides guidance on the selection of safeguards, and how this can be supported by the use of baseline models and controls. It also describes how this complements the security techniques described in Part 3, and how additional assessment methods can be used for the selection of safeguards. Part 5 provides guidance to an organization connecting its IT systems to external networks. This guidance includes the selection and use of safeguards to provide security for the connections and the services supported by those connections, and additional safeguards for the IT systems being connected.
iv
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
TECHNICAL REPORT © ISO/IEC
ISO/IEC TR 13335-2:1997(E)
Information technology — Guidelines for the management of IT Security — Part 2: Managing and planning IT Security 1 Scope The guidelines in this part of ISO/IEC TR 13335 address subjects essential to the management of IT security, and the relationship between those subjects. These guidelines are useful for the identification and the management of all aspects of IT security. Familiarity with the concepts and models introduced in Part 1 is essential for a complete understanding of this part.
2 Reference ISO/IEC TR 13335-1:1996, Information technology — Guidelines for the management of IT Security — Concepts and models for IT Security.
3 Terms and definitions For the purposes of this part of ISO/IEC TR 13335, the definitions given in ISO/IEC TR 13335-1 apply. The following terms are used: accountability, asset, authenticity, availability, baseline controls, confidentiality, data integrity, impact, integrity, IT security, IT security policy, reliability, residual risk, risk, risk analysis, risk management, safeguard, system integrity, threat, vulnerability.
4 Structure Part 2 is divided into 17 clauses. Clauses 5 and 6 provide information on the aim and background of this document. Clause 7 provides an overview of the various activities involved in successful IT security management. Clauses 8 through 16 elaborate on these activities. Clause 17 provides a summary.
5 Aim The aim of this part is to present the different activities related to the management and the planning of IT security, as well as the associated roles and responsibilities within an organization. It is relevant to IT managers who typically have responsibility for procurement, design, implementation, or operation of IT systems. Apart from managers with responsibility for IT security, it is also relevant to managers who are responsible for activities that make substantial use of IT systems. Generally, this part is useful for anybody having managerial responsibilities relating to an organization’s IT systems.
6 Background Government and commercial organizations rely heavily on the use of information to conduct their business activities. Loss of confidentiality, integrity, availability, accountability, authenticity and reliability of information and services can have adverse impacts on organizations. Consequently, there is a critical need to protect information and to manage the security of information technology (IT) systems within organizations. This requirement to protect information is particularly important in today's environment because many organizations are internally and externally connected by networks of IT systems. IT security management is a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and reliability. IT security management functions include: • determining organizational IT security objectives, strategies and policies, • determining organizational IT security requirements, • identifying and analyzing the security threats to, and vulnerablilities of, the assets of IT systems within the organization, • identifying and analyzing security risks, • specifying appropriate safeguards, • monitoring the implementation and operation of safeguards that are necessary in order to cost effectively protect the information and services within the organization, Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
1
ISO/IEC TR 13335-2:1997(E)
©
ISO/IEC
• developing and implementing a security awareness programme, and • detecting and reacting to incidents. In order to fulfill these management responsibilities for IT systems, security must be an integral part of an organization’s overall management plan and be integrated into all functional processes of the organization. As a result, several of the security topics addressed in this report have broader management implications. This report will not attempt to focus on the broad management issues, but rather on the security aspects of the topics and how they are related to management in general.
7 Management of IT Security 7.1 Planning and Management Process Overview IT security planning and management is the overall process of establishing and maintaining an IT security programme within an organization. Figure 1 shows the main activities within this process. Because management styles and organizational sizes and structures differ, this process should be tailored to the environment in which it is used. It is important that all of the activities and functions identified in Figure 1 are addressed within the style, size and structure of the organization, and its manner of doing business. It is implicit that management reviews are conducted as part of all these activities and functions. The starting point is to establish a clear view of the organization’s IT security objectives. These objectives follow from higher level objectives (e.g. the business objectives) and, in turn, lead to the IT security strategy for the organization and the corporate IT security policy, as detailed in Clause 8. Therefore, a part of the corporate IT security policy is the creation of an appropriate organizational structure that will ensure that the defined objectives can be reached.
.
Corporate IT Security Policy (Clause 8)
Organizational Aspects of IT Security (Clause 9)
Risk Management (Clause 7.2) Corporate Risk Analysis Strategy Options (Clause 10) choice of options
Baseline Approach
Informal Approach
Detailed Risk Analysis
Combined Approach
IT Security Recommendations (Clause 11)
IT System Security Policy (Clause 12)
IT Security Plan (Clause 13)
Implementation (Clause 7.3) Safeguards
Security Awareness
(Clause 14)
(Clause 15)
Follow Up (Clause 16)
Figure 1 — Overview of the Planning and Management of IT Security
2
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
©
ISO/IEC
ISO/IEC TR 13335-2:1997(E)
7.2 Risk Management Overview Risk Management includes four distinct activities: • • • •
determination of the overall risk management strategy appropriate to the organization within the context of the corporate IT security policy, selection of safeguards for individual IT systems as a result of risk analysis activities or according to baseline controls, formulation of IT system security policies from the security recommendations, and as necessary the update of the corporate IT security policy (and where appropriate the departmental IT security policy), and construction of IT security plans to implement the safeguards, based on the approved IT system security policies.
7.3 Implementation Overview The implementation of the necessary safeguards for each IT system should be done according to the IT security plan. The improvement of general IT security awareness, although very often neglected, is an important aspect for the effectiveness of safeguards. Figure 1 makes clear that these two tasks, i.e., safeguard implementation and a security awareness programme, should run in parallel, as user behaviour cannot be changed overnight, and awareness needs to be enhanced continuously over a longer period of time.
7.4 Follow-up Overview The activities addressed in clause 16, ‘Follow-up’, include: • maintenance of safeguards, to ensure their continued and effective operation, • checking to ensure that safeguards comply with approved policies and plans, • monitoring of assets, threats, vulnerabilities and safeguards for differences, to detect changes which may affect risks, and • incident handling to ensure the appropriate reaction to unwanted events. Follow-up is a continuous task, which should include the reassessment of earlier decisions.
7.5 Integrating IT Security All IT security activities are most effective if they occur uniformly throughout the organization and from the beginning of any IT system’s life cycle. The IT security process is itself a major cycle of activities and should be integrated into all phases of the IT system life cycle. Whilst security is most effective if it is integrated into new systems from the beginning, legacy systems and business activities benefit from the integration of security at any point in time. An IT system life cycle can be subdivided into three basic phases. Each of these phases relates to IT security in the following way: • Planning: IT security needs should be addressed during all planning and decision making activities. • Acquisition: IT security requirements should be integrated into the processes by which systems are designed, developed, purchased, upgraded or otherwise constructed. Integration of the security requirements into these activities ensures that cost effective security features are included in systems at the appropriate time and not afterwards. • Operations: IT security should be integrated into the operational environment. As an IT system is used to perform its intended mission, it typically undergoes a series of upgrades which includes the purchase of new hardware components or the modification or addition of software. In addition, the operational environment frequently changes. These changes in the environment could create new system vulnerabilities which should be analyzed and assessed, and either mitigated or accepted. Equally important is the secure disposal or reassignment of the systems. IT security should be a continuous process with many feedbacks within and between an IT system’s life cycle phases. Only the overall feedback path is shown in Figure 1. In most situations, feedback will also occur between and within all major activities of the IT security process. This provides a continual flow of information about IT system vulnerabilities, threats, and safeguards throughout the three phases of an IT system’s life cycle. It is also worth noting that each of an organization’s business areas may identify IT security requirements that are unique. These areas should mutually support each other and the overall IT security process by sharing information on security aspects which can be used to support the management decision making process.
8 Corporate IT Security Policy 8.1 Objectives Objectives (what is to be achieved), strategies (how to achieve these objectives), and policies (the rules for achieving the objectives) may be defined for each level of an organization and for each business unit or department. In order to achieve Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
3
ISO/IEC TR 13335-2:1997(E)
©
ISO/IEC
effective IT security it is necessary to align the various objectives, strategies and policies for each organizational level and business unit. Consistency between the corresponding documents, although influenced by different points of view, is important, since many threats (such as system hacking, file deletion and fire) are common business problems.
8.2 Management Commitment The commitment of top management to IT security is important and should result in a formally agreed and documented corporate IT security policy. The corporate IT security policy should be derived from the corporate security policy.
8.3 Policy Relationships Where appropriate, the corporate IT security policy may be included in the range of corporate technical and management policies, that together build a basis for a corporate IT strategy statement. This statement should include some persuasive words on the importance of security, particularly if security is necessary for the compliance with that strategy. Figure 2 shows the relationships between the various policies. Regardless of the documentation and organizational structure in use by the organization, it is important that the different messages of the policies described are addressed, and that consistency is maintained.
Corporate Business Policy, Derived from Objectives and Strategy
Corporate Marketing Policy
Corporate Security Policy
Corporate IT Policy
Corporate IT Security Policy
Department IT Security Policy ... System B
System A IT Security Policy Figure 2 — Policy Relationships Other, more detailed, IT security policies are required for specific systems and services, or for a group of IT systems and services. These are normally known as IT system security policies. It is an important management aspect that their scope and boundaries are clearly defined, and based on business and technical reasons.
8.4 Corporate IT Security Policy Elements The corporate IT security policy should at least cover the following topics: • IT security requirements, e.g., in terms of confidentiality, integrity, availability, authenticity, accountability and reliability, particularly with regard to the views of the asset owners, • organizational infrastructure and assignment of responsibilities,
4
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
©
• • • • • • • • • •
ISO/IEC
ISO/IEC TR 13335-2:1997(E)
integration of security into system development and procurement, directives and procedures, definition of classes for information classification, risk management strategies, contingency planning, personnel issues (special attention should be paid to personnel in positions requiring trust, such as maintenance personnel and system administrators), awareness and training, legal and regulatory obligations, outsourcing management, and incident handling.
9 Organizational Aspects of IT Security 9.1 Roles and Responsibilities IT security is an interdisciplinary topic and relevant to every IT project and system and all IT users within an organization. Appropriate assignment and demarcation of responsibilities should ensure that all important tasks are accomplished and that they are performed in an efficient way. Although this goal may be achieved through various organizational schemes, dependent upon the size and structure of an organization the following roles need to be covered in every organization: • an IT security forum, which typically resolves the interdisciplinary issues and approves directives and standards, and • the corporate IT security officer, who acts as the focus for all IT security aspects within an organization. Both the IT security forum and the corporate IT security officer should have well defined and unambiguous duties, and be sufficiently senior to ensure commitment to the corporate IT security policy. The organization should provide clear lines of communication, responsibility, and authority for the corporate IT security officer, and the duties should be approved by the IT security forum. The conduct of these duties may be supplemented by the use of external consultants. Figure 3 shows a typical example of the relationships between the corporate IT security officer, the IT security forum and the representatives from other areas within the organization, such as other security functions, the user community, and IT personnel. These relationships may be line management or functional. The example for the organization of IT security described in Figure 3 uses three organizational levels. This can easily be adapted to any organization by adding or omitting levels according to the organization’s need. Small to medium organizations may choose to have a corporate IT security officer whose responsibilities cover all security roles. When functions are combined it is important to ensure that the appropriate checks and balances are maintained to avoid concentrating too much power in one person's hands without having the possibility of influence or control.
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
5
ISO/IEC TR 13335-2:1997(E)
©
ISO/IEC
Corporate Management Corporate Security Officer IT Steering Committee
Corporate IT Security Officer
Corporate IT Security Policy and Directives
IT Security Forum
Corporate Level *Department Level
* Department IT Security Officer
IT Representative(s)
*Department IT Security Policy and Directives System / Project Level
IT User Representative
IT Project or System Security Officer
Legend: roles organisational *
only if the Department is of sufficient size
IT Project or System Security Policy
Figure 3 — Example IT Security Organization 9.1.1 IT Security Forum Such a forum should involve people with the necessary skills to identify requirements, formulate policies, draw up the security programme, review achievements and direct the corporate IT security officer. There may already be a suitable forum, or a separate IT security forum may be preferred. The role of such a forum or committee is to: • advise the IT steering committee regarding strategic security planning, • formulate a corporate IT security policy in support of the IT strategy and obtain approval from the IT steering committee, • translate the corporate IT security policy into an IT security programme, • monitor the implementation of the IT security programme, • review the effectiveness of the corporate IT security policy, • promote awareness of IT security issues, and • advise on resources (people, money, knowledge, etc.) needed to support the planning process and the IT security programme implementation.
6
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
©
ISO/IEC
ISO/IEC TR 13335-2:1997(E)
To be effective, the forum should include members with a background in security and the technical aspects of IT systems, as well as representatives of the providers and users of IT systems. Knowledge and skills from all these areas are needed to develop a practical corporate IT security policy. 9.1.2 Corporate IT Security Officer Because the responsibility for IT security is shared, there is a risk that, in the end, nobody will feel responsible at all. To avoid this, responsibility should be assigned to a specific individual. The corporate IT security officer should act as the focus for all IT security aspects within the organization. There may already be a suitable person who can take on the additional responsibilities, although it is recommended that a dedicated post is established. It is preferable to select a person with background in security and IT as corporate IT security officer. The chief responsibilities are: • oversight of the implementation of the IT security programme, • liaison with and reporting to the IT security forum and the corporate security officer, • maintaining the corporate IT security policy and directives, • co-ordinating incident investigations, • managing the corporate-wide security awareness programme, and • determining the terms of reference for IT project and system security officers (and where relevant department IT security officers). 9.1.3 IT Project Security Officer and IT System Security Officer Individual projects or systems should have someone responsible for security, usually called the IT security officer. In some cases, this may not be a full time role. The functional management of these officers will be the responsibility of the corporate IT security officer (or, where applicable, the department IT security officer). The security officer acts as the focal point for all security aspects of a project, a system, or a group of systems. The chief responsibilities of the post are: • liaison with and reporting to the corporate IT security officer (or, where applicable, the department IT security officer), • issuing and maintaining the IT project or system security policy, • developing and implementing of the security plan, • day-to-day monitoring of implementation and use of the IT safeguards, and • initiating and assisting in incident investigations.
9.2 Commitment It is vital for effective IT security that the management at all levels supports the efforts made by individuals. A business wide commitment to the goals of IT security includes: • an understanding of the organization’s global needs, • an understanding of the needs for IT security within the organization, • a demonstration of the commitment to IT security, • a willingness to address the IT security needs, • a willingness to allocate resources to IT security, and • an awareness, at the highest level, of what IT security means, or consists of (scope, extent). The goals of IT security should be promulgated throughout the organization. Each employee, or contractor, should know their role and responsibility, their contribution to IT security and be entrusted to achieving such goals.
9.3 Consistent Approach A consistent approach to IT security should be applied to all development, maintenance and operational activities. Protection should be ensured throughout the life cycle of information and IT systems, from planning to disposal. An organizational structure, such as the one illustrated in Figure 3, can support a harmonized approach to IT security throughout the organization. This needs to be supported by a commitment to standards. Standards may include international, national, regional, industry sector, and corporate standards or rules, selected and applied according to the IT security needs of the organization. Technical standards need to be complemented by rules and guidelines on their implementation, use and management. The benefits of using standards include: • integrated security, • interoperability, • consistency, • portability, • economies of scale, and • interworking between organizations.
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
7
ISO/IEC TR 13335-2:1997(E)
©
ISO/IEC
10 Corporate Risk Analysis Strategy Options Any organization that wants to enhance security should put in place a strategy for risk management that is suitable for its environment, and contains the means to address the risks in an effective manner. A strategy is required which focuses security effort where it is needed and enables a cost and time effective approach. It is neither resource or time effective to conduct detailed reviews for all systems, nor is it effective not to address serious risks. An approach which provides a balance between these extremes involves conducting high level reviews to determine the IT security needs of systems with analyses to a depth consistent with these needs. The security needs of any organization will depend on its size, type of business it is doing, and its environment and culture. The corporate risk analysis strategy option to be selected should relate directly to these facts. In some situations, an organization may decide to do nothing or to postpone the implementation of safeguards. This management decision should only be made after an organization has completed its high level reviews. However, if such a decision is made, management should be fully aware of the risks and adverse impacts for which it may be liable, and the likelihood of an unwanted incident to take place. Without this knowledge an organization may inadvertently be in violation of laws or regulations and may expose it’s business to potential loss. The decision and justification to do nothing or to postpone the implementation of safeguards should be adopted only after serious consideration has given to these and other possible adverse effects. Based upon the results of the high level reviews, safeguards to mitigate the risks can be selected using one of the four options described below. The following clauses provide an explanation of the advantages and disadvantages provided by each option.
10.1 Baseline Approach The first option is to select a set of safeguards to achieve a baseline level of protection for all systems. A variety of standard safeguards are suggested in baseline documents and codes of practice. After an examination of the basic needs, these safeguards can also be adapted from other organizations such as international and national standards organizations, industry sector standards or recommendations, or some other company with appropriate similarities (such as business objectives, size, IT systems and applications). There are a number of advantages with this approach such as: • There are no resources needed for detailed risk analysis, and the time and effort spent on safeguard selection is reduced. Normally, no significant resources are needed to identify the baseline safeguards. • The same or similar baseline safeguards can be adapted for many systems without great effort. If a large number of an organization's systems operate in a common environment, and if the business needs are comparable, baseline safeguards may offer a cost-effective solution. The disadvantages of this option are: • If the baseline level is set too high, there might be too expensive or too restrictive security for some systems, and if the baseline level is too low, there might be not enough security for some systems. • There might be difficulties in managing security relevant changes. For instance, if a system is upgraded, it might be difficult to assess whether the original baseline safeguards are still sufficient.
10.2 Informal Approach The second option is to conduct an informal, pragmatic risk analysis for all systems. An informal approach is not based on structured methods, but exploits the knowledge and experience of individuals. If internal security expertise is not available, external consultants can do this analysis. The advantage of this option is: • No additional skills need to be learnt to do this informal analysis, and it is performed quicker than a detailed risk analysis. Hence this approach might be cost effective and suitable for small organizations. There are several disadvantages: • Without a structured approach, the likelihood of missing some risks and areas of concern increases. • Because of the informality of this approach, the results may be influenced by subjective views and the prejudices of the reviewer. • There is very little justification for the safeguards selected, hence expenditures on safeguards would be difficult to justify. • It may be difficult to manage security relevant changes over time without repeated reviews.
8
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
©
ISO/IEC
ISO/IEC TR 13335-2:1997(E)
10.3 Detailed Risk Analysis The third option is to conduct a detailed risk analysis for all systems. Detailed risk analysis involves the identification and valuation of assets, and assessment of the levels of threats to those assets, and vulnerabilities of those assets. This input is used to assess the risks. By doing that, risk analysis supports the identification, selection and adoption of safeguards justified by the identified risks to assets, and the reduction of those risks to an acceptable level defined by the management. Detailed risk analysis can be a very resource consuming process, and therefore needs careful establishment of boundaries and constant management attention. The advantages of this option are: • A security level is identified which is appropriate for the security needs of each system. • The management of security relevant changes will benefit from the additional information obtained from a detailed risk analysis. The major disadvantage of this option is: • It takes a considerable amount of time, effort and expertise to get viable results.
10.4 Combined Approach The fourth option is to first identify those systems which are at high risk or critical to business operations, using a high level risk analysis approach. Based on these results, the systems are categorized into those which require a detailed risk analysis to achieve appropriate protection and those for which baseline protection is sufficient. This option is a combination of the best points of the options described in 10.1 Baseline Approach and 10.3 Detailed Risk Analysis. Consequently, it provides a good balance between minimizing the time and effort spent in identifying safeguards, while still ensuring that all systems are protected appropriately. The advantages of this option are: • Using a simple high level approach to gather the necessary information before significant resources are committed is more likely to gain acceptance for the risk management programme. • It should be possible to build an immediate strategic picture of the organizational security programme, which can be used as a good planning aid. • Resources and money can be applied where they will be most beneficial, and systems which are likely to be at high risk can be addressed early. The disadvantage of this option is: • If the high level risk analysis leads to inaccurate results, some systems for which a detailed risk analysis is needed might not be so addressed. This is unlikely if the results of the high level risk analysis are checked appropriately, but in any event such systems would still be covered by baseline safeguards. In most circumstances this option offers the most cost effective approach and is a highly recommended risk analysis option for the majority of organizations.
11 IT Security Recommendations Any of the approaches in Clause 10 should provide a number of recommendations to reduce the security risks to an acceptable level. These recommendations should be approved by management, and should include the: • criteria for determining acceptable levels of risk for the IT systems considered, • selection of safeguards which reduce risks to an acceptable level, • benefits relating to the implementation of these safeguards, and the reduction of risks achieved by these safeguards, and • acceptance of the residual risks remaining when all these safeguards have been implemented.
11.1 Safeguard Selection There are several types of safeguards: those which prevent, reduce, monitor, detect, or correct unwanted incidents, and those which recover from them. Prevention can include the deterrence of unwanted actions and activities which enhance security awareness. The major areas, where safeguards are applicable, and some examples for each area are: • hardware (backup, keys), • software (electronic signatures, logging, anti-virus tools), • communications (firewalls, data encryption), • physical environment (fences, badges), Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
9
ISO/IEC TR 13335-2:1997(E) • •
©
ISO/IEC
personnel (staff awareness, procedures for employee termination), and administration (authorization, disposal of hardware, license control).
Safeguards are not independent of one another and frequently work in combination. The selection process must consider safeguard interdependencies. During safeguard selection, it should be checked that no gaps are remaining. Such gaps make it possible to circumvent existing safeguards, and allow accidental threats to cause damage. For new systems, or where major changes are being made to existing systems, safeguard selection may include a security architecture. A security architecture describes how the requirements for security are to be satisfied for an IT system and is part of the overall system architecture. It addresses technical safeguards, whilst taking account of non-technical aspects. All safeguards require management to ensure effective operation and many safeguards will require administrative support for maintenance purposes. These factors should be kept in mind during the safeguard selection process. It is important that safeguards are implemented effectively and without causing undue user or management overhead. If safeguards are causing significant changes, their implementation should be linked to a security awareness programme, change management and configuration management.
11.2 Risk Acceptance After the implementation of the selected safeguards, there will always be a residual risk. This is because no system can ever be made absolutely secure, and because certain assets may have been left unprotected intentionally (e.g., because of assumed low risk or the high costs of the recommended safeguard relative to the estimated value of the asset to be protected). The first step of the risk acceptance process is to review the safeguards selected and to identify and assess all residual risks. The next step is to classify the residual risks into those considered "acceptable" and those which are "unacceptable" for the organization. It is obvious that unacceptable risks cannot be tolerated, thus additional safeguards limiting the impact or consequences of those risks should be considered. In each of these cases, a business decision must be made. Either the risk is to be judged "acceptable", or the expense of additional safeguards must be approved which reduce the risk to an acceptable level.
12 IT System Security Policy Policies developed for IT system security should be based on the corporate and departmental security policy. These system security policies comprise a set of principles and rules for the protection of systems and services. The policies must be implemented by the application of appropriate safeguards to the systems and services to ensure that an adequate level of protection is achieved. The IT system security policies must be endorsed by senior management as mandatory sets of principles and rules to ensure that financial and manpower resources are committed to their application and enforcement. The key issues to be considered when determining each IT system security policy are: • definition of the considered IT system and its boundary, • definition of the business objectives to be achieved by the system, as these may have an impact on the security policy for the system and on the selection and implementation of safeguards, • potential adverse business impacts from: unavailability, denial, or destruction of services or assets including information, unauthorized modification of information or software, and unauthorized disclosure of information, with quantitative consequences, such as direct or indirect money losses, as well as qualitative consequences, such as loss of goodwill, loss of or danger to life, breaches of personal privacy, • level of investment in IT, • significant threats to the IT system and the information handled, • vulnerabilities, including the weaknesses that leave the IT system subject to the danger of identified threats, • security safeguards required, which are commensurate with the identified risks, • costs of IT security, i.e., the expenses of protecting IT assets (the cost of IT security should be considered as part of the cost of ownership of the IT system), and • relationship to and selection principles for outsourcing providers (e.g. computing centers, PC support). IT security needs a planned approach and should not be considered in isolation. It should feature in the strategic planning process, thus ensuring that security is planned and designed into the system from the outset. In most situations it will be more expensive, or even impractical, to add safeguards later.
10
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
©
ISO/IEC
ISO/IEC TR 13335-2:1997(E)
13 IT Security Plan An IT security plan is a document which defines the co-ordinated actions to be undertaken to implement an IT system security policy. This plan should contain the primary actions to be undertaken within short, medium and long range, and the associated costs, in terms of investments, operational costs, workload, etc., and an implementation time schedule. It should include: • an overall security architecture and design, • a short review of the IT system for consistency with the organization’s security objectives, reflected in terms of maximum financial losses, embarrassment, company image, etc., • an identification of the safeguards corresponding to the assessed risks, retained and validated by management, • an assessment of the actual level of confidence in the safeguards which includes the determination of their effectiveness, • an overview of the assessment of residual risks in the context of the given system or application, • the identification and definition of actions with their respective priority in order to implement the safeguards, • a detailed work plan for the implementation of safeguards, including priorities, budget and time-schedules, • project control activities including: the committing of resources and assignment of responsibilities, and the definition of progress-reporting procedures, • the security awareness and training requirements for IT staff and end-users, and • requirements for the development of security operating and administration procedures. In addition, the plan should include the procedures defining the conditions and actions for the validation of each of the above points, including the modification of the plan itself.
14 Implementation of Safeguards After having established an IT security plan, it is necessary to implement it. Usually, the IT system security officer is responsible for that. The following objectives should be kept in mind during the security implementation. It should be ensured that: • the cost of safeguards remain within the approved range, • safeguards are implemented correctly as required by the IT security plan, and • safeguards are operated and administered as required by the IT security plan. Most technical safeguards need to be complemented by operational and administrative procedures and cannot be enforced by purely technical means. Therefore, the procedures should be supported and enforced by line management. Security awareness and training is also considered a safeguard. Due to its importance, awareness will be discussed in Clause 15. Whilst security awareness applies to all personnel, specific security training is required for: • personnel responsible for the development of IT systems, • personnel responsible for the operation of IT systems, • IT project and system security officers, and • personnel responsible for security administration, e.g., for access control. When the implementation of the IT security plan has been completed, the formal process of approving the implementation of the safeguards specified in the IT system security plan should take place. When approval has been obtained, authorization is then given for the IT system or service to be put into operation. The approval process is, in some communities, referred to as accreditation. Any significant changes to an IT system or service should lead to re-checking, re-testing and re-approval of the IT system or service.
15 Security Awareness The security awareness programme should be implemented at all levels of the organization, from top management to users. Without the acceptance and involvement of personnel at the user level, the security awareness programme cannot succeed. Users need to understand their importance to the success of the programme. An awareness programme should pass on knowledge of the corporate IT security policy and assure a complete understanding of the security guidelines and the appropriate actions. In addition, a security awareness programme should cover the objectives of the system security plans. The programme should address at least the following topics: • the basic needs of information protection, • implication of security incidents for the user as well as the organization, • the objectives behind, and an explanation of the corporate IT security policy, and the risk management strategy, leading to an understanding of risks and safeguards, Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
11
ISO/IEC TR 13335-2:1997(E) • • • • • • • •
©
ISO/IEC
the IT security plans to implement and check safeguards, information classification, responsibilities of the data owners, responsibilities, job descriptions and procedures, the need to report and investigate breaches of security or attempts, the consequences of not acting in an authorized manner (including disciplinary actions), security compliance checking, and change and configuration management.
An effective security awareness programme will use a wide variety of media, such as brochures, handbooks, posters, videos, newsletters, hands-on practical exercises, workshops, seminars, and lectures. It is important that the implementation of the awareness programme considers social, cultural and psychological aspects and that a culture is developed which fully recognizes the importance of security. Security awareness should concern everyone within an organization and should influence the behaviour, and lead to increased responsibility of all. A critical factor is to make management aware of the need for security. It is part of all managers’ jobs to ensure the security awareness of their staff. Therefore, they will have to plan a corresponding budget. In the case of large organizations, the responsibility for IT security awareness should be given to the corporate IT security officer. The aim of an awareness programme is to convince those persons concerned that significant risks to IT systems do exist and that information loss, or unauthorized modification or disclosure, could have major consequences for the organization and its employees. It is preferable to organize awareness sessions related to the organization’s environment. Relevant examples should be given, i.e. examples based on company cases, which are easy to understand and have a greater impact than the cases reported by the news media. Such sessions will also provide employees with greater opportunities to interact with an instructor. The employee’s compliance with safeguards should be monitored to measure the impact of security awareness sessions and to evaluate the sessions’ contents. If the result is not satisfying, the contents of security awareness sessions should be modified accordingly. Security awareness sessions should be repeated periodically both to refresh the knowledge of existing staff and to inform new personnel. Moreover, each new employee, each newly transferred person, and each newly promoted person, should be instructed in their new responsibilities. It is also advisable to integrate IT security aspects into other courses. It is emphasized that security awareness is an on-going process and can never be regarded as complete.
16 Follow-up All safeguards require maintenance to ensure that they are functioning and continue to function in a predictable and appropriate manner. This aspect of security is one of the most important, but typically receives the least attention. Most often, the system or service already exists and security is added as an afterthought and then forgotten. There is a tendency to ignore safeguards that have been implemented and at best, little attention is given to maintaining or enhancing security. Moreover, the obsolescence of safeguards should be discovered by planned actions rather than stumbled upon. In addition, security compliance checking, monitoring of the operational environment, log record reviews, and incident handling are also necessary to ensure ongoing security.
16.1 Maintenance The maintenance of safeguards, which includes administration, is an essential part of an organization’s security programme. It is the responsibility of all levels of management to ensure that: • organizational resources are allocated to the maintenance of safeguards, • safeguards are periodically re-validated to ensure that they continue to perform as intended, • safeguards are upgraded when new requirements are discovered, • responsibility for the maintenance of safeguards is clearly established, • hardware and software modifications and upgrades to an IT system do not change the intended performance of the existing safeguards, and • advance in technology does not introduce new threats or vulnerabilities. When the maintenance activities described above are accomplished, existing safeguards will continue to perform as intended and adverse costly impacts will be avoided.
12
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
©
ISO/IEC
ISO/IEC TR 13335-2:1997(E)
16.2 Security Compliance Security compliance checking, also known as security audit or security review, is a very important activity used in ensuring conformance and compliance with the IT system security plan. To ensure that the appropriate level of IT security remains effective, it is essential that implemented safeguards conform, and continue to conform, with the safeguards specified in the IT project or system security plan. For all IT projects and systems this must be true during: • design and development, • the operational lifetime, and • replacement or disposal. Security compliance checks may be conducted using external or internal personnel (e.g. auditors) and are essentially based on the use of checklists relating to the IT project or system security policy. Security compliance checking should be planned and integrated with other planned activities. Spot checks are particularly helpful in determining whether operational support staff and users are conforming to specific safeguards and procedures. Checks should be made to ensure that the correct security safeguards are implemented, implemented correctly, used correctly and, where appropriate, tested. Where some safeguards are found not to be security conformant, a corrective action plan should be produced, activated, and results reviewed.
16.3 Monitoring Monitoring is a crucial part of the IT security cycle. If it is carried out properly, it gives management a clear view of: • what has been achieved compared with the targets and deadlines set out, and • whether or not the achievements are satisfactory and where specific initiatives did or did not work. All changes to assets, threats, vulnerabilities and safeguards potentially could have a significant effect on the risks, and early detection of changes permits preventive action to be taken. Many safeguards produce output logs of security relevant events. These logs should, at a minimum, be periodically viewed, and if possible analyzed using statistical techniques to permit the early detection of trend changes, and the detection of recurring adverse events. The use of logs only for post event analysis is to ignore a potentially very powerful safeguard mechanism. Monitoring should also include procedures for reporting to the relevant IT security officer and to management on a regular basis.
16.4 Incident Handling It is inevitable that security incidents will occur. Each incident should be investigated to a depth commensurate with the damage caused by the incident. Incident handling provides an ability to react to accidental or deliberate disruption of normal IT system operation. Consequently, an incident reporting and investigation scheme should be developed which is suitable for the whole of the organization’s IT systems and services. Further, it should be considered to join inter-organizational reporting schemes to gain a wider view of the occurrence of IT security incidents and related threats, and their associated effects on IT assets and business operations. The fundamental objectives during an IT security incident investigation are to: • react to an incident in a sensible and effective manner, and to • learn from the incident so that future similar adverse events may be precluded. A prepared plan of actions with predefined decisions will allow an organization to react in reasonable time to limit further damage and where relevant to continue reduced business with auxiliary means. A plan for incident handling must include the requirement for a chronological documentation of all events and actions; this should lead to the identification of the source of the incident. This is a precondition to reaching the second aim, namely to reduce future risk by improving the safeguards. One positive effect of an incident is that it increases the willingness to invest in safeguards. It is important that an incident analysis is executed and documented, addressing the following questions: • What has happened, and at what time? • Did the staff follow the plan? • Was the required information available to the staff on time? • What would the staff propose to do differently the next time? Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
13
ISO/IEC TR 13335-2:1997(E)
©
ISO/IEC
Answering these questions will help to understand the incident. This in turn should be used to reduce risks by upgrading the relevant IT security policies and plans (e.g., improving safeguards, reducing vulnerabilities and adapting the security awareness programme).
17 Summary Part 2 discussed the management process and responsibilities associated with an effective IT security programme. The discussion is intended to give managers familiarity with the major processes and functions that play a role in IT security management. The information provided in this part may not be directly applicable to all organizations. In particular, small organizations are not likely to have all the resources available to completely perform some of the functions described. In these situations, it is important that the basic concepts and functions are addressed in an appropriate manner for the organization. Even in some large organizations, some of the functions discussed in this part may not be accomplished exactly as described. Part 3 will examine several techniques which can be used to fulfill the functions described in Part 2. Further parts will address the selection of safeguards and specific safeguards for external connections.
14
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
ISO/IEC TR 13335-2:1997(E)
©
ISO/IEC
ICS 35.040 Descriptors: data processing, information interchange, network interconnection, communication procedure, security techniques, concepts, models, rules (instructions). Price based on 14 pages
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 534424/Downloaded: 2003-03-06 Single user licence only, copying and networking prohibited
View more...
Comments