www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 107 Figure 3.4 Example Completed: Matrix with High-Water Mark High Low Medium Medium Medium High High
Trang 1As the assessment team works with the customer to fill out the OICM, it’s normal for the customer to want to change some things Remember
that this matrix is not static You could end up changing multiple items
several times in the process The customer should be in control because they understand their business You’re providing expertise to guide their decision process You should understand that if your definitions change, you will need to revisit the OICM to see if any of the ratings have
changed based on the new definitions.
The Customer Perception of the Matrix
Often the customer will end up with misconceptions about the matrix and what
it’s intended to convey to the target audience.These issues typically arise before
the process is complete, so your team will need to reiterate the goal of these
activities Confront these issues as they arise by explaining why the matrix is
important to upper management
In putting together the OICM, our goal is to distill the information ture and its impact on the organization into an easy-to-read matrix We’ve
architec-defined the critical pieces of information and prioritized them based on their
impact on operations So now we can understand that the loss of security
attributes to these pieces of information can impact the company in varying
degrees If the customer can understand the correlation we have drawn between
these things, the matrix should be easy for them to comprehend
www.syngress.com
Determining the Organization’s Information Criticality • Chapter 3 107
Figure 3.4 Example Completed: Matrix with High-Water Mark
High Low Medium
Medium Medium High
High Low High
High Medium High
Customer Information Account Information Employee Information
High Watermark
Confidentiality Integrity Availability
High Medium High
Corporate Finances
Medium Low Medium
Research &
Development
Trang 2One issue that inevitably pops up is the concern that some information typesmay be construed as being “not important” because they receive a Low rating insome impact attribute categories.This is not, in fact, the truth of the matter Infact, all information types listed are important to the organization, but the cus-
tomer needs to understand which ones have a greater impact on the mission.
Another key to the OICM is the distinction drawn between the different types
of security required for various information types Some types may need moreprotection from an impact attribute than others Using this thinking, the cus-tomer can better determine where to invest their security budget to ensure thebest use of resources
Explaining the Value of Priorities
If everything were rated as a High impact on operations, the matrix would vide no value to the customer, because it would not reflect the reality of the situ-ation In reality, not all information within a company deserves the same level ofprotection But like a small child with his toys, customers can be defensive aboutwhat is theirs Priorities provide the mechanism needed to delineate the differ-ence between information that is merely important and that which is critical
pro-Case Study: Organizational
Criticality at TOOT
The Transit Organization of Operational Trains (TOOT) is under contract tomanage 27 percent of all North American train traffic In this capacity,TOOTschedules, monitors, and enforces the movement of trains from six master controlstations (New York, Miami, Mexico City, San Francisco, Seattle, and Toronto).TOOT has contracted with our consulting company to perform a completeNSA IAM-compliant assessment on their organization.They’ve never had an orga-nizational assessment before, so the customer is relatively ignorant of the processesand steps involved.The assessment team leader will need to educate the customerand make sure they really understand the process as the assessment progresses.Our POC is Anne Jackson,TOOT’s CIO Anne has only been with the orga-nization for about six months She confides that she believes that many differentprocedural changes might need to take place before the organization ends up inthe headlines Our team leader decides that Anne will make a great team repre-sentative for the customer on the assessment team Anne is asked to coordinate apre-assessment visit in two weeks and is given a list of potential company repre-sentatives who could provide useful input for this initial step
108 Chapter 3 • Determining the Organization’s Information Criticality
Trang 3We know from our talks with Anne on the phone that the TOOT network isprimarily a Windows NT domain network with an IBM AS400 as the primary
monitoring server.The team leader decides to bring two technicians from our
company One has experience with Windows security; the other has worked
with the AS400 mainframe architecture for years.Together with the team leader,
the consulting pre-assessment visit team is ready to go
Two weeks later, our team arrives on site at the TOOT location in NewYork, where we’ll meet with Anne and her team.The actual meeting room is a
boardroom designed for a group of roughly 20 people to sit around a large table
and talk A large whiteboard hangs on a wall at one end of the room, perfect for
listing information types
Our meeting has been scheduled for 9:00 A.M on Monday in the room We meet Anne in her office after checking in at the front desk and
board-receiving our temporary visitor badges Anne tells us that there should be 11
attendees in the meeting, including those on the assessment team She says that
the attendees should be a collection of individuals from the information
tech-nology department that administers the systems for TOOT
TOOT Information Criticality Topics
At 8:50 A.M we enter the boardroom with Anne and prepare for the meeting
The team leader lays out his notes and passes out a presentation for each
attendee.The presentation gives the attendees an overview of the IAM
assess-ment process and describes what the group will be doing
The rest of the group shows up around 9:00 A.M At this point, Anne makessome basic introductions between the team and the TOOT employees in the
room It appears that all the key players have arrived, so the team leader begins
his presentation When the presentation is over, he asks for questions and clarifies
the process for a few individuals who seem concerned or confused about the
assessment
With the basics out of the way, the team leader starts the enumeration ofinformation types by explaining to the group what we’re trying to do now One
of the assessment team members is prepared to take notes on a laptop while the
team leader jots down the various information types on the whiteboard.The
process starts immediately with the mainframe administrator naming the
infor-mation types she deals with on a daily basis
After just a few minutes, the rest of the group chimes in, and we soon have alist of roughly 35 information types.The group goes back over the list, carefully
www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 109
Trang 4checking for items that don’t really belong E-mail is removed from the list first,along with the customer database When all the information types have been fil-tered, corrected, or accepted, there are 22 types on the list.
The assessment team leader explains the process of rolling these variousinformation types into a smaller number of broad categories that encompass theinformation in question.The group works together and categorizes the informa-tion types into eight groups of information that describe all the critical informa-tion within the organization.The eight information types are as follows:
■ Regular freight-tracking information
■ Sensitive freight-tracking information
■ Passenger information
■ Track condition-monitoring information
■ Customer information
■ Employee information
■ Corporate finance information
■ Network and communications information
Identifying Impact Attributes
After listing all the information types, the group takes a break, and some bers of the group are told they’re done.This leaves the assessment team with thesenior technology representatives to identify the impact attributes and completethe OICM When the break is over, this group returns to complete the work.Our team leader explains that the group needs to pick attributes that directlyimpact the organization and asks for input on legal regulations or requirementsthat might influence this decision.The group decides to use the basic set ofimpact attributes: confidentiality, integrity, and availability It’s decided that thesethree attributes cover the concerns the organization may have regarding thesecurity of its information
mem-Creating Impact Definitions
The group begins working with the definitions that will pinpoint the variousimpacts that loss of CIA on the various information types has on the organiza-
110 Chapter 3 • Determining the Organization’s Information Criticality
Trang 5tion Anne decides that it’s best to keep this simple and use the basic High /
Medium / Low structure.The rest of the team appears to agree with her
The group ends up with the definitions listed in Table 3.4
Table 3.4 TOOT Impact Definitions
High Medium Low
Loss of life Financial penalties in Inconvenience to the
excess of US$100,000 customer from federal regulatory
agencies Severe loss of customer Financial losses in excess Inconvenience to the
Catastrophic financial Inability to actively Loss of customer
penalties from federal monitor trains and rail confidence
regulatory agencies systems for one hour
or less Hostile takeover of Widespread loss of Disruption of our railway
railway management customer confidence management
system (possible
terrorist activities)
Financial losses in Loss of reputation
excess of US$2 million
Inability to actively Legal action by the
monitor trains or rail customers
systems for more than
one hour
Creating the Matrix
Now that we’ve finished defining the impact attributes, the team can start filling
in the OICM.This is where most of the conflict will arise, if it exists In our case
study, however, very little conflict exists, because everyone is on the same sheet of
music Anne has done a great job of pulling everyone together and getting the
team focused
The team begins by relating each information type to the impactattributes in question For starters, the team leader asks the group to begin by
considering how the loss of confidentiality of the regular freight information
would impact the organization.The team decides what value to put into that box
www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 111
Trang 6on the matrix by reviewing the definitions they’ve created After about anotherhour and a half, the team has filled all the empty blocks in the OICM By takingthe highest rating in each impact attribute column, the team derives the high-water mark and calls it a day.The completed OICM is shown in Figure 3.5.
112 Chapter 3 • Determining the Organization’s Information Criticality
Figure 3.5 TOOT’s Completed OICM
Medium Low Low
Low
High Medium Medium
High High Medium
Reg Freight
Sens Freight Pass Info.
High Watermark
Confidentiality Integrity Availability
High High Medium
Track Cond.
Medium Low Low
Cust Info
High High Medium
Net & Comms
Medium Medium Medium
Finances
Medium Emp Info
Trang 7The process of creating the Organizational Information Criticality Matrix
(OICM) is one of the most important within the INFOSEC Assessment
Methodology.The OICM provides a basis for everything else in the
method-ology and clarifies the intentions and goals of the assessment process for the
cus-tomer Poor execution of this portion of the assessment can result in a much
more complex and painful assessment for both the customer and the team
The process of creating the OICM begins with a group of customer sentatives sitting in the same room with the assessment team From here, the cus-
repre-tomer will begin listing all known information types within the company It’s not
important if the list is relatively long, because the next step rolls these individual
pieces of information into more general groupings.These groupings make more
sense than the individual pieces from an IAM perspective because they give a
more general overview of the information types within the company Because
the IAM is a top-down assessment approach, we need to ensure that we start
with this more generalized understanding of the customer’s information
Some conflict can arise during this process simply because some informationtypes are inherently considered of lesser importance to the organization than
others.The individuals in the room may resent the implication that the
informa-tion that they work with is of less importance It eventually lies at the feet of
upper management to clarify the company’s beliefs regarding these issues
When the information types have all been grouped together into fewergroups of similar or relevant information types, we’ll pick the impact attributes to
use for the assessment process.The most commonly used impact attributes are
confidentiality, integrity, and availability.These three encompass the majority of
what information security professionals around the world attempt to focus on
Other attributes, such as nonrepudiation or accountability, can be added.The
more impact attributes used during the assessment process, the more complex the
impact definitions need to be.This ensures that definitions relate directly back to
the attributes we’re measuring against
The standard levels of definitions are High, Medium, and Lows Althoughthese are the standards, they’re not mandatory and may be substituted with your
company’s own metric system Another example of a potentially useful metric is
including a numbering system from 0 to 5, with 0 representing the least impact
on the organization.The system your organization ends up using depends on
your own business processes and your customer’s desires
www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 113
Trang 8The High definition level can be considered something that has a dramaticimpact on business operations for the customer.This category is normally
reserved for those events that can cause dire harm to the well-being of a pany Some examples include loss of life, complete loss of customer confidence,
com-or the need to file fcom-or bankruptcy
The Medium definition level consists of those things that are of significant
impact to the organization Significant is a subjective term that is up to the
cus-tomer to define It could consist of large legal penalties, loss of revenue, and a loss
of reputation
Low importance can be thought of along the lines of those things that willhave less impact on the organization For instance, customer inconvenience orthe delay of an arrest (for a police organization) could be considered low by thecustomer In the end, all these definitions are subjective and depend heavily onthe customer’s interpretation
The OICM is a box matrix consisting of columns and rows We label thecolumns across the top of the matrix with the names of the impact attributeswe’ll be using for the assessment.The rows are labeled along the left edge withthe information types that the customer has defined
Next, the assessment team will sit down with the customer and fill in thesquares in the box.The process is completed by asking questions such as, “Theloss of Integrity for this information type would result in what impact?”Thistype of activity will fill in the chart based on customer input.The OICM is not astatic matrix and could change over the course of the assessment, based on newinformation or changes in customer opinion
The final result is an OICM that accurately reflects the customer’s opinionsregarding the critical information types within the organization, the various levels
of impact considered possible for the organization, and the impact attributes thatthe customer feels are most important to the organization’s mission Ratings aregiven by the customer with feedback from the team
114 Chapter 3 • Determining the Organization’s Information Criticality
Trang 9Best Practices Checklist
Never Underestimate the Amount of
Time Required to Define Information Criticality
Consider the size of the customer organization
Consider the politics of the customer organization
Consider the industry of the customer organization
Consider the customer understanding of the NSA IAM process
Ensure That the Right People Are
Present to Determine Information Criticality
Your customer POC should be an upper management representative
Network administrators for the customer network should be part of theprocess
Systems administrators of the various operating systems should be part
of the process
Administrative or project management personnel should be part of theprocess, for a business perspective
Work With Your Customer to List
the Information Types Within the Organization
Start by brainstorming and listing all the information types the customercan think of
Remove all the superfluous and nonmission-critical information typesfrom the list
Remove all the systems or applications from the list
Roll all the smaller information types into broader groups
www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 115
Trang 10Avoid Internal Politics During the Definition Process
Stay objective in the information you offer the customer about security.Allow the management representative to management conflict andpolitics
Try to understand the rationale behind the personal feelings of thepeople in the room
Q: During the course of defining the OICM, how often do you actually findthe process difficult due to internal conflict or personality issues on the cus-tomer’s team?
A: There is almost always some sort of conflict during this process.The
employees at the customer site usually believe their information or systemsare very important to their company’s overall mission We often hear state-ments such as, “If it weren’t for my information, we couldn’t do this.Thatwould be a huge impact on the company!” Although statements like this aretrue at some level, it eventually comes down to what the manager believes isthe truth.The manager, not the employee, decides the real impact
Q: Is there a limit to the actual number of impact attributes that can be usedduring the IAM process?
A: NSA doesn’t actually define a specific number of impact attributes that
should or should not be used during the assessment process.The actual
number will depend heavily on customer desires.This is not to say that yourinput as a paid information security expert shouldn’t come into play in thedecision, but ultimately it’s all up to the customer.The largest number ofimpact attributes I’ve seen during the assessment process was about 13.Thebiggest problem we had with that assessment was creating definitions that
116 Chapter 3 • Determining the Organization’s Information Criticality
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form You will
also gain access to thousands of other FAQs at ITFAQnet.com.
Trang 11addressed each of these impact attributes so that we could adequately fill inthe matrix.There’s also the chance of some overlap between the definitionswhen you get too many impact attributes involved in the process.
Q: You mentioned that some organizations prefer to use a numbered definition
system Can you provide more detail on the reasons a business might want touse this system versus the High, Medium, and Low standard?
A: There are a few reasons that an organization might prefer to use a numbering
system instead of the High, Medium, Low system taught by NSA First, anumbering system allows a greater degree of granularity when definingimpact to the organization.This granularity allows the customer and theassessment team to better understand the priority of security impact Second,
a numbering system allows the team to give an average or mean number onthe OICM instead of the high-water mark If a customer truly wants tounderstand which impact attributes are more important to the organizationand in what order they exist, a numbered average may provide a better viewthan a simple high-water mark
Q: Is the OICM a requirement of the NSA IAM, or is it one of those flexible
pieces that can be developed separately as a business process?
A: The OICM is required for the assessment to be compliant with the NSA
INFOSEC Assessment Methodology If your organization is considering anIA-CMM rating from NSA based on your ability to perform the IAM forcustomers, you’ll need to ensure that this part of the IAM process exists
Assessments that do not conform to the IA-CMM as released by NSA shouldnot be submitted for use or review during the rating process
Q: Our customers always seem to lean toward very simple impact definitions
What are your recommendations for how detailed these definitions should
be, and does it really matter?
A: The definitions are an important piece of creating the OICM Although the
definitions should come directly from the customer, we find it useful to makerecommendations based on our own experience.This could include experi-ence in information security in general or in the industry specific to the cus-tomer In the end, the definitions need to be detailed enough that the
company can legitimately measure the true impact of security incidents on
www.syngress.com Determining the Organization’s Information Criticality • Chapter 3 117
Trang 12the organization If the definitions are too general, it will be difficult to gaugeactual impact and the matrix will lack total value.
Q: How long does this particular process actually take?
A: The process laid out in this chapter can vary in length based on multiple tors How complex and large is the organization you’ll be assessing? Do youknow if a lot of internal personality conflicts or politics might come intoplay? Is the management likely to take control of the situation, or do thingstend to get out of hand easily because the company representatives in theroom can’t be brought to a decision? The NSA IAM gives a rough guideline
fac-of about two days to create the OICM From our perspective, this processcan take as long as a week, depending on the answers to the previous ques-tions Regardless of how long it takes, this piece has to be done correctly orthe rest of the assessment results may be skewed
Q: I see from the information provided in this chapter that we’ll want to list allthe information types we can think of and then roll them into more general-ized groups, but is there a recommended range or number of groups we need
to stick to when creating the list?
A: In class we use four or five groups of information types in order to simplifythe exercises In a real-life situation, the actual number of types will dependheavily on how the customer decides to roll up the information Obviously,you’ll have some input into the process, so you can steer them toward thehighest level of rollup possible.Typically we end up with anywhere from six
to 12 information types listed on the customer OICM In a couple of
instances, there were more or fewer, but this appears to be the standard range
118 Chapter 3 • Determining the Organization’s Information Criticality
Trang 13System Information Criticality
Solutions in this Chapter:
■ Stepping into System Criticality
■ Determining System Boundaries
■ Defining the Systems
■ Creating the System Criticality Matrix
Chapter 4
119
Summary Frequently Asked Questions
Trang 14Defining the critical information with the customer, as we just did in Chapter 3,should have allowed everyone involved in the organizational assessment process
to better understand how the customer’s business operates and the various pieces
of information that play a important role in the completion of the customer’smission.To this point, the customer has played a vital role in the assessment pro-cess by specifically defining the different critical information types and identi-fying the organization’s mission.They’ve also helped by defining the levels ofimpact that they consider important, relative to their business and industry Allthis information has been organized into an easy-to-read matrix that defines (at ahigh level) the information criticality of the organization
The next step is just as critical from an assessment point of view because itdefines those specific systems that process, transmit, or store the customer’s crit-ical information.These are the key information systems that have the greatestimpact on the customer’s operations From a technical perspective, these are thesystems that will be most focused on during any technical evaluations that occur
in conjunction with the IAM assessment process From a purely organizationalperspective, these are the systems that need the deepest scrutiny because thecompromise or complete loss of these particular information systems would mostlikely have a distinct and often painful impact on the organization As in Chapter
3, the activities in this chapter cannot be completed adequately without the
involvement of the customer We provide some example systems to help you
better understand the diversity of systems you may encounter at customer sites:
■ Human resources systems
■ Help desk system
■ Network monitoring system
■ Inbound order system
■ Customer information system
■ Security and audit system
■ Corporate finance tracking system
■ Research and development system
■ Investment tracking system
■ Command and control system
120 Chapter 4 • System Information Criticality
Trang 15Remember, this portion of the assessment is still in the pre-assessment phase
and is conducted directly following the creation of the Organizational
Information Criticality Matrix (OICM) described in Chapter 3 We’ve broken
down the concepts to make it easier to understand their individual impact on the
assessment process
Stepping into System Criticality
Similar to the methodology we used to identify the organizational information
criticality and fill in the OICM, the process of identifying the system criticality is
completed with the customer close at hand.The assessment team will also
com-plete matrices similar to the OICM, but these will focus specifically on each
system we’re able to identify and not necessarily the organization as a whole
NOTE
It’s important that the reader have a solid grasp on the concepts we cussed in Chapter 3 before moving on to this chapter and the ones that follow Chapters 3 and 4 help lay the foundation of knowledge you’ll use
dis-www.syngress.com
System Information Criticality • Chapter 4 121
Information Criticality Before System Criticality
The NSA IAM is designed to identify the information criticality before the system criticality with specific intent in mind Each entity has a mission that it strives to achieve on a daily basis This is the entity’s reason for existence Within that organization, there are specific pieces of informa- tion without which the organization will not be able to achieve its mis- sion goals By identifying those pieces of information first, we can better isolate the most critical systems within the organization Without that information, we’re left to try to defend every system component within the organization at the same level, which is not only inefficient but also wastes valuable time and resources.
Understanding Why…
Trang 16when you complete the NSA IAM-compliant assessment on your own organization or a client If it’s been a while since you’ve read Chapter 3, consider reviewing the Summary of that chapter before continuing.
When we addressed organizational information criticality in Chapter 3, wewere trying to take a snapshot in time of the critical information types and theirimpact on the organization based on known guidelines, policies, regulations, andrestrictions Because the NSA IAM is a top-down model, we can consider thissnapshot as having been taken at a very high level, which we refer to the 50,000-foot picture As the assessment moves into the identification of the critical sys-tems and our creation of the System Criticality Matrix, the assessment processmoves down to the 20,000-foot picture Figure 4.1 shows the approximate levels
of granularity between the various phases of security analysis
122 Chapter 4 • System Information Criticality
Figure 4.1 Security Phase Granularity
50,000 40,000 30,000 20,000 10,000 5,000 1,000 500
Information Assessment Information Evaluation OICM SCM Network Server/Host Red Teaming
Activities
Trang 17Figure 4.1 provides a good depiction of how detailed the process becomes asthe security team progresses.The NSA IAM is covered under the Information
Assessment section.The technical pieces of information evaluation and red
teaming activities are not covered in this book Suffice it to say that we’ve moved
down to the 20,000-foot level in order to identify the systems responsible for the
organization’s critical information
TERMINOLOGY ALERT
Red teaming describes the third tier of information security assessment
and evaluation activities conducted by the National Security Agency The term means slightly different things depending on the organization doing the red teaming, but in all cases it implies that security activities are conducted in an adversarial and invasive manner Some commercial
firms refer to these activities as attack and penetration The goal is to
break into the customer network from a hacker’s perspective, using any skills necessary to attempt a compromise of the customer network.
Normally, the red teaming activities are conducted after the NSA ment (IAM) and evaluation activities have occurred to test the security solutions that have been implemented at the customer organization
assess-Defining High-Level Security Goals
Now that the customer has defined the critical information types (as discussed in
Chapter 3), they can work on defining the organization’s high-level goals
con-cerning information security.These goals vary greatly between industries and
depend heavily on the customer’s subjectivity as well as local, state, and federal
regulations Each goal the customer defines should reflect the concerns about
protecting the critical information types from each impact attribute being used
in the assessment process (e.g., confidentiality, integrity, and availability)
Consider a healthcare institution in the United States that now has to takepatient privacy into consideration due to the Health Insurance Portability and
Accountability Act (HIPAA).The institution’s primary security goals may be the
protection of all patient healthcare information used to treat patients and stored
within its information systems.The government imposes stiff penalties and fines
against healthcare agencies that do not adequately protect this information
www.syngress.com System Information Criticality • Chapter 4 123
Trang 18In contrast, an active military unit engaged in hostile combat activities abroadmay be more concerned with the security of its command and control systemsthat guide troop movements, relay strategic and tactical plans, and allow commu-nication with remote units.The unit’s standards of security are based primarily
on guidelines handed down from the DoD.The military unit’s high-level securitygoals are certainly critical to that organization but are completely different fromthose defined by the healthcare organization
Each of these security goals should relate back to the OICM that the ment team and the customer created during the activities defined in Chapter 3.Since the OICM lays the customer information types out in a fashion thatdefines the high-level impact of each type to the organization, we’re in a betterposition to address the protection mechanisms that need to be considered At thevery least, the assessment team can help the customer better relate to the needfor protection of these information types
assess-As an example, let’s use the OICM from the previous chapter to create somegeneric security goals.This is more an exercise in creative planning than actuallylaying out specific security guidelines, but these actions will help focus the cus-tomer on security and get the entire assessment team thinking along the lines ofprotecting information For instance, in the matrix shown in Figure 4.2, we seethat the customer has rated customer information as High in integrity.This impliesthat this information type, added protection should be considered against the loss
of integrity Failure to provide adequate protections for this information type hasalready inherently been defined as having the ability to cripple the organization.Using this example to further define possible high-level security goals, weneed to think along the lines of solutions that could potentially help protect theintegrity of our information type For instance, we might be able to considersome form of encryption on the customer information or perhaps even use someform of file system hashing function to ensure that files aren’t changed withoutour knowledge We’re not defining specific solutions yet, but we need to keepthese potential solutions in mind as we examine the actual systems more closely.Some of our hypothetical solutions might not work because they impact the cus-tomer’s operations, whereas some could be seamless and transparent to the
system’s users
In counterpoint, the impact rating for account information for the loss ofavailability shows a Low impact to the organization Using common sense, wederive that the protection mechanisms needed for this information type may notneed to be as stringent as those for integrity of customer information.The loss of
124 Chapter 4 • System Information Criticality
Trang 19availability of the account information type should not, according to the
cus-tomer’s own definitions; impact the organization as adversely as our first example
WARNING
Although the previous explanation gets the point across that we’re looking for the High impact pieces of information criticality and using those to pinpoint specific components of the customer information architecture that probably need more protection than others, it does fail
to adequately convey one simple point Just because something is listed
as a Low impact to the organization, it should not be considered any less deserving of protection or security Protection is still needed by all critical information types listed in our matrix, but some items simply need more security than others due to the impact they will have on the organization if they are compromised Don’t get caught up in the idea that something is Low and deserves less attention We simply use Low to
www.syngress.com
System Information Criticality • Chapter 4 125
Figure 4.2 Organizational Information Criticality Matrix
High Low Medium
Medium Medium High
High Medium High
Medium Low Medium
High Low High
High Medium High
Customer Information Account Information Employee Information
Corporate Finances Research &
Development
High Watermark Confidentiality Integrity Availability
Trang 20imply that the information type would have less impact on the tion if lost than others would This concept is important to convey to the customer as well since there is a tendency to assume that Low items can
organiza-be overlooked in favor of protecting the High impact items.
Locating Additional Sources of Requirements
While the assessment team is working through this process, a secondary continualprocess needs to be occurring in the background to help identify any additionalsources of requirements that must be considered Customers generally tend toknow about the requirements that have the most impact to the organization, from
an information protection perspective But this might not always be the case.For instance, schools and colleges will most likely already have a good ideaabout relevant regulations concerning the protection of student privacy informa-tion In the United States, this privacy guideline is called the Family EducationalRights and Privacy Act, or FERPA But the assessment team should be awarethat, in some cases, you may be dealing with a customer that has very littleunderstanding of the actual requirements or regulations to which they’re required
to adhere In the majority of these types of situations, you will most likely bedealing with a smaller customer.Your experience as a collective assessment teamwill become extremely useful to these customers
The goal here isn’t necessarily to come up with regulations of which the tomer isn’t already aware.The team just needs to ensure that all required securitybases have been covered during the assessment process.There could be local reg-ulations that directly impact the security or protection of information within thecustomer organization Failure to include these things in the analysis performedduring the assessment process could lead to penalties or fees imposed on the cus-tomer further down the road in the event of a compromise
cus-An example of local regulations that could impact your customer is possiblephysical security restriction Let’s consider our healthcare institution again, onlythis time we’ll say it’s a small hospital in a local community Our assessment teamhas contacted the town hall and discovered that the local government has
decided that only licensed law enforcement officials are allowed to carry loadedfirearms within local public facilities buildings.This impacts our customer
because they would like to see armed private security guards hired to police thehospital premises and protect patient information.This local restriction impacts
126 Chapter 4 • System Information Criticality
Trang 21the customer’s ability to implement a security solution they are interested in
putting in place
Some potential additional sources of requirements, if the customer is tively small or inexperienced, could also include something as commonplace as
rela-federal policies or regulations.The experience of the team leader or assessment
team members will be an invaluable resource in helping define these sources In
the end we are looking to protect the customer from any adverse actions
resulting from the lack of security of information considered critical by any
out-side entity or governing body or due to the inappropriate implementation of
security solutions that may be considered taboo or illegal
Good ways to start looking for these additional sources might be as simple asmaking a phone call to the local city council office Industry associations often
have a very good understanding of security requirements, so if your customer is
in the utilities industry, for example, perhaps contacting the appropriate utility
member association can shed light on appropriate regulations to consider.The
Internet can also provide a very useful interface for finding regulatory
compli-ance issues that may impact your customer Most regulations are made public on
special Web sites that focus on that industry Some popular regulatory Web sites
are listed in Table 4.1
Table 4.1 Regulatory Web Sites
Category Regulatory Standard URL
Education Family Educational Rights www.ed.gov/policy/gen/
and Privacy Act guid/fpco/ferpa/index.html Healthcare Health Insurance Portability www.hhs.gov/ocr/hipaa
and Accountability Act Financial and Gramm-Leach-Bliley www.senate.gov/
Financial Sarbanes Oxley Act www.aicpa.org/info/
summary.htm Federal or military National Security Agency www.nsa.gov/snac.
Guidelines index.html
www.syngress.com System Information Criticality • Chapter 4 127
Trang 22Determining System Boundaries
One of the biggest concerns that any assessment team will confront while trying
to define systems in a customer’s organization will be locating known or ceived boundaries for the system Boundaries provide a delineation of the system
per-in much the same way as a state lper-ine or country border defper-ines each specific ernment body Boundaries limit the scope of each system And remember fromour previous definition, a system in the context of our assessment activities issomething that transmits, stores, or processes the critical information types withinthe customer organization When we define boundaries, we define them based
gov-on the physical aspect of the boundary or the logical transfer of the informatigov-on
from one responsible hand to another
Physical Boundaries
Physical boundaries are often the easiest for the customer and the assessmentteam to understand.The physical boundary of a system may be as simple as thenetwork jack on the wall, a port on the switch, or an interface on the perimeterfirewall In a more metropolitan-based system, the system could be delineated bythe particular building within a city in which the system is used exclusively On amore global basis, perhaps the system is defined by a particular set of replicatedservers and workstations at each of 12 global sites that all share the same infor-mation database Again, physical boundaries tend to be more tangible than logicalboundaries because those things can be “touched” in some physical manner.Thefollowing list gives common examples of some physical boundaries you’ll seeduring information assessments:
■ Switch port
■ Firewall interface
■ Perimeter router
■ Subnet router interface
■ Building entrances and exits
Trang 23changes hands to another entity that then becomes the responsible party for
con-trolling access to the data A good example of something like this is where a bank
transfers information on customer transactions to a partner bank Once the
infor-mation leaves the hands of the local bank and moves into the customer’s own
bank, the information then becomes the responsibility of the partner bank.Thus
the security of that information passes to the partner bank as well.These types of
relationships are the best way to view logical boundaries
From an internal customer perspective, maybe we’re dealing with multipleentities or branches within the organization that control the same information in
different phases of its life cycle Information may arrive in the system via a Web
environment that is strictly controlled by the Web or IT teams and then passed
from this network to the procurement department When the information
changes hands and the originating party loses control of and responsibility for the
information, we’ve located a logical boundary for the system at hand
The easiest method of locating these logical boundaries is by creating a dataflow diagram with the customer Data flow diagrams emulate the flow of critical
information types within the network.This includes flows from primary servers
to workstations or hosts that use the information Network components are also
considered during this process
From Figure 4.3 you can see that the customer has decided that the networkcomponents within the red circle are considered a full system From the cus-
tomer perspective, this means that the highlighted servers, workstations, and
net-work components are the single realm within which one or more multiple
information types reside.The system could be restricted to a single information
type, but it should include all components that have access to the information In
the network diagram shown in Figure 4.3, the physical and logical boundaries of
the system would be the external IP address of the firewall It’s at this point that
direct control over the information is lost to the larger network
www.syngress.com System Information Criticality • Chapter 4 129