until an incident has occurred.Fortunately, organizations can reduce the cost of information security.. If the organization had taken the proper steps before the incident occurred, and t
Trang 1CHAPTER 7
Information Security Process
93
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 2until an incident has occurred.
Fortunately, organizations can reduce the cost of information security Proper planning and risk management will drastically reduce, if not eliminate, the cost of an incident If the organization had taken the proper steps before the incident occurred, and the incident were prevented, the cost would have been:
Cost of Information Security = Cost of Countermeasures
Note also that
Cost of the Incident + Cost of Countermeasures >> Cost of Countermeasures
Taking the proper steps before an incident occurs is a proactive approach to infor-mation security In this case, the organization identifies its vulnerabilities and deter-mines the risk to the organization if an incident were to occur The organization can now choose countermeasures that are cost-effective This is the first step in the process
of information security
The process of information security (see Figure 7-1) is a continual process comprised
of five key phases:
▼ Assessment
■ Policy
■ Implementation
■ Training
▲ Audit
Individually, each phase does bring value to an organization; however, only when taken together will they provide the foundation upon which an organization can effec-tively manage the risk of an information security incident
Trang 3The information security process begins with an assessment An assessment answers the
basic questions of “Where are we?” and “Where are we going?” An assessment is used to
determine the value of the information assets of an organization, the size of the threats to
and vulnerabilities of that information, and the importance of the overall risk to the
orga-nization This is important simply because without knowing the current state of the risk
to an organization’s information assets, it is impossible for you to effectively implement a
proper security program to protect those assets
This is accomplished by following the risk management approach Once the risk has
been identified and quantified, you can select cost-effective countermeasures to mitigate
that risk
The goals of an information security assessment are as follows:
▼ To determine the value of the information assets
■ To determine the threats to the confidentiality, integrity, availability, and/or
accountability of those assets
■ To determine the existing vulnerabilities inherent in the current practices of the
organization
■ To identify the risks posed to the organization with regard to information assets
■ To recommend changes to current practice that reduce the risks to an
acceptable level
▲ To provide a foundation on which to build an appropriate security plan
Figure 7-1. The process of information security
Trang 4throughout the organization in the handling of information All forms of information are examined including electronic and physical
■ Audit Specific policies are examined and the organization’s compliance with
them is reviewed
▲ Penetration Test The organization’s ability to respond to a simulated
intrusion is examined This type of assessment is performed only against organizations with mature security programs
For this discussion, we will assume that audits and penetration tests will be covered during the audit phase of the process Both of these types of assessments imply some pre-vious understanding of risks and a prepre-vious implementation of security practices and risk management Neither type of assessment is appropriate when an organization is at-tempting to understand the current state of security within the organization
You should make assessments by gathering information from three primary sources:
▼ Employee interviews
■ Document review
▲ Physical inspection
Interviews must be with appropriate employees who will provide information on the existing security systems and the way the organization functions A good mixture of staff and management positions is critical Interviews should not be adversarial The inter-viewer should attempt to put the subject at ease by explaining the purpose of the assess-ment and how the subject can assist in protecting the organization’s information assets Likewise, the subject must be assured that none of the information provided will be at-tributed directly to him or her
You should also review all existing security-relevant policies as well as key configura-tion documents The examinaconfigura-tion should not be limited to only those documents that are complete Documents in draft form should also be examined
The last part of information gathering is a physical inspection of the organization’s fa-cility If possible, inspect all the organization’s facilities
Trang 5When conducting an assessment of an organization, examine the following areas:
▼ The organization’s network
■ The organization’s physical security measures
■ The organization’s existing policies and procedures
■ Precautions the organization has put in place
■ Employee awareness of security issues
■ Employees of the organization
■ The workload of the employees
■ The attitude of the employees
■ Employee adherence to existing policies and procedures
▲ The business of the organization
Network
The organization’s network normally provides the easiest access points to information
and systems When examining the network, begin with a network diagram and examine
each point of connectivity
NOTE: Network diagrams are very often inaccurate or outdated, therefore it is imperative that
dia-grams are not the only source of information used to identify critical network components
The locations of servers, desktop systems, Internet access, dial-in access, and
connec-tivity to remote sites and other organizations should all be shown From the network
dia-gram and discussions with network administrators, gather the following information:
▼ Types and numbers of systems on the network
■ Operating systems and versions
■ Network topology (switched, routed, bridged, and so on)
■ Internet access points
■ Internet uses
■ Type, number, and versions of any firewalls
■ Dial-in access points
■ Type of remote access
■ Wide area network topology
■ Access points at remote sites