Information security management handbook

He has published several papers on information security issues in the Information Security Management Handbook, Data Security Management, Information Systems Security,and the National Ac

Trang 1

TLFeBOOK

Trang 2

Au9561 half title page 11/14/05 2:22 PM Page 1

Fifth Edition, Volume 3

Trang 3

Auerbach sec 7 11/14/05 2:48 PM Page 1

Cyber Forensics: A Field Manual for

Collecting, Examining, and Preserving

Evidence of Computer Crimes

Albert J Marcella, Jr and Robert S Greenfield

ISBN: 0-8493-0955-7

The Ethical Hack: A Framework for Business

Value Penetration Testing

James S Tiller

ISBN: 0-8493-1609-X

The Hacker's Handbook: The Strategy Behind

Breaking into and Defending Networks

Susan Young and Dave Aitel

ISBN: 0-8493-0888-7

Information Security Architecture:

An Integrated Approach to Security in the

Information Security Policies, Procedures,

and Standards: Guidelines for Effective

Information Security Management

Investigator's Guide to Steganography

Gregory Kipper 0-8493-2433-5

Managing a Network Vulnerability Assessment

Thomas Peltier, Justin Peltier, and John A Blackley ISBN: 0-8493-1270-1

Network Perimeter Security: Building Defense In-Depth

Cliff Riggs ISBN: 0-8493-1628-6

The Practical Guide to HIPAA Privacy and Security Compliance

Kevin Beaver and Rebecca Herold ISBN: 0-8493-1953-6

A Practical Guide to Security Engineering and Information Assurance

Debra S Herrmann ISBN: 0-8493-1163-2

The Privacy Papers: Managing Technology, Consumer, Employee and Legislative Actions

Rebecca Herold ISBN: 0-8493-1248-5

Public Key Infrastructure: Building Trusted Applications and Web Services

John R Vacca ISBN: 0-8493-0822-4

Securing and Controlling Cisco Routers

Peter T Davis ISBN: 0-8493-1290-6

Strategic Information Security

John Wylder ISBN: 0-8493-2041-0

Surviving Security: How to Integrate People, Process, and Technology, Second Edition

Amanda Andress ISBN: 0-8493-2042-9

A Technical Guide to IPSec Virtual Private Networks

James S Tiller ISBN: 0-8493-0876-3

Using the Common Criteria for IT Security Evaluation

Debra S Herrmann ISBN: 0-8493-1404-6

OTHER INFORMATION SECURITY BOOKS FROM AUERBACH

Trang 4

Au9561 title page 11/15/05 9:46 AM Page 1

Edited by

Fifth Edition, Volume 3

®

PRESS

Trang 5

Chapter 18, Enterprise Security Management Program, by George G McBride © 2005 Copyright Lucent Technologies Chapter 23, Beyond Information Security Awareness Training: It Is Time To Change the Culture, by Stan Stahl © Copyright

Published in 2006 by

Auerbach Publications

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

Auerbach is an imprint of Taylor & Francis Group

No claim to original U.S Government works

Printed in the United States of America on acid-free paper

10 9 8 7 6 5 4 3 2 1

International Standard Book Number-10: 0-8493-9561-5 (Hardcover)

International Standard Book Number-13: 978-0-8493-9561-1 (Hardcover)

Library of Congress Card Number 2003061151

This book contains information obtained from authentic and highly regarded sources Reprinted material is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials

or for the consequences of their use.

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC) 222 Rosewood Drive, Danvers, MA

01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Information security management handbook / Harold F Tipton, Micki Krause, editors. 5th ed.

p cm.

Includes bibliogaphical references and index.

ISBN 0-8493-9561-5 (alk paper)

1 Computer security Management Handbooks, manuals, etc 2 Data protection Handbooks, manuals, etc I Tipton, Harold F II Krause, Micki.

QA76.9.A25I54165 2003

Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Publications Web site at http://www.auerbach-publications.com

Taylor & Francis Group

is the Academic Division of Informa plc.

AU9561_Discl.fm Page 1 Tuesday, November 8, 2005 4:11 PM

Trang 6

Table of Contents

About the Editors xi

Contributors xiii

Introduction xxiii

1 ACCESS CONTROL SYSTEMS AND METHODOLOGY 1

Section 1.1 Access Control Techniques 1 Sensitive or Critical Data Access Controls 5

Mollie E Krehnke and David C Krehnke 2 An Introduction to Role-Based Access Control 17

Ian Clark 3 Smart Cards 31

Jim Tiller 4 A Guide to Evaluating Tokens 41

Joseph T Hootman Section 1.2 Access Control Administration 5 Identity Management: Benefits and Challenges 51

Lynda L McGhie 2 TELECOMMUNICATIONS AND NETWORK SECURITY 69

Section 2.1 Communications and Network Security 6 An Examination of Firewall Architectures 73

Paul A Henry 7 The Five W’s and Designing a Secure, Identity-Based, Self-Defending Network (5W Network) 119

Samuel W Chun

Trang 7

10 Voice over WLAN 145

Bill Lipiczky

11 Spam Wars: How To Deal with Junk E-Mail 155

Al Bredenberg

12 Auditing the Telephony System: Defenses against

Communications Security Breaches and Toll Fraud 161

William A Yarberry, Jr.

3 SECURITY MANAGEMENT PRACTICES 175

13 The Controls Matrix 179

Robert M Slade

14 Information Security Governance 183

Ralph Spencer Poore

15 Belts and Suspenders: Diversity in Information Technology Security 189

Jeffrey Davis

16 Building Management Commitment through Security

Councils, or Security Council Critical Success Factors 197

Todd Fitzgerald

17 Developing and Conducting a Security Test and Evaluation 213

20 People, Processes, and Technology: A Winning Combination 241

Felicia M Nicastro

Trang 8

21 Building an Effective Privacy Program 251

Rebecca Herold

22 Training Employees To Identify Potential Fraud

and How To Encourage Them To Come Forward 265

Rebecca Herold

23 Beyond Information Security Awareness Training:

It Is Time To Change the Culture 285

25 System Development Security Methodology 309

Ian Lim and Ioana V Bazavan

26 Software Engineering Institute Capability Maturity Model 325

Matt Nelson

27 Organized Crime and Malware 339

Michael Pike

28 Enabling Safer Deployment of Internet Mobile Code Technologies 351

Ron Moritz

5 CRYPTOGRAPHY 363

29 Blind Detection of Steganographic Content

in Digital Images Using Cellular Automata 367

Sasan Hamidi

30 An Overview of Quantum Cryptography 373

Ben Rothke

Trang 9

31 Elliptic Curve Cryptography: Delivering High-Performance

Security for E-Commerce and Communications 385

Paul Lambert

Organizations, Architectures, and Designs

32 Enterprise Assurance: A Framework Explored 397

Bonnie A Goins

7 OPERATIONS SECURITY 403

33 Managing Unmanaged Systems 407

Bill Stackpole and Man Nguyen

34 Understanding Service Level Agreements 423

Gilbert Held

AND DISASTER RECOVERY PLANNING 429

35 Building Maintenance Processes for Business Continuity Plans 433

Ken M Shaurette and Thomas J Schleppenbach

39 The Business Impact Assessment Process and the

Importance of Using Business Process Mapping 465

Carl Jackson

40 How To Test Business Continuity and Disaster Recovery Plans and How Often 483

James S Mitts

Trang 10

9 LAW, INVESTIGATION, AND ETHICS 497

41 Sarbanes–Oxley Compliance: A Technology Practitioner’s Guide 501

Bonnie A Goins

42 Health Insurance Portability and Accountability Act Security Rule 511

Lynda L McGhie

43 The Ethical and Legal Concerns of Spyware 525

Janice C Sipior, Burke T Ward, and Georgina R Roselli

44 The Evolution of the Sploit 537

47 It’s All about Power: Information Warfare Tactics

by Terrorists, Activists, and Miscreants 579

Gerald L Kovacich, Andy Jones, and Perry G Luzwick

48 DCSA: A Practical Approach to Digital Crime Scene Analysis 601

Marcus K Rogers

49 What a Computer Security Professional Needs

To Know about E-Discovery and Digital Forensics 615

Larry R Leibrock

50 How To Begin a Non-Liturgical Forensic Examination 621

Carol Stucki

10 PHYSICAL SECURITY 637

51 Physical Security for Mission-Critical Facilities and Data Centers 641

Gerald Bowman

INDEX 663

Trang 11

This page intentionally left blank

Trang 12

About the Editors

Harold F Tipton, CISSP, currently an independent consultant and past president of the InternationalInformation System Security Certification Consortium, (ISC)2, was Director of Computer Security forRockwell International Corporation for 15 years He initiated the Rockwell computer and data securityprogram in 1977 and then continued to administer, develop, enhance, and expand the program toaccommodate the control needs produced by technological advances until his retirement from Rockwell

in 1994 He has been a member of the Information Systems Security Association (ISSA) since 1982, waspresident of the Los Angeles Chapter in 1984, and was president of the national organization of ISSAfrom 1987 to 1989 He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000 He receivedthe Computer Security Institute “Lifetime Achievement Award” in 1994 and the (ISC)2“Hal TiptonAward” in 2001 He was a member of the National Institute for Standards and Technology (NIST)Computer and Telecommunications Security Council and the National Research Council Secure SystemsStudy Committee (for the National Academy of Science) He has a bachelor’s of science degree inengineering from the U.S Naval Academy, a master’s degree in personnel administration from GeorgeWashington University, and a certificate in computer science from the University of California, Irvine

He has published several papers on information security issues in the Information Security Management Handbook, Data Security Management, Information Systems Security,and the National Academy of Sci-ences report Computers at Risk He has been a speaker at all of the major information security conferences,including the Computer Security Institute, ISSA Annual Working Conference, Computer Security Work-shop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, NationalComputer Security Conference, IIA Security Conference, EDPAA, UCCEL Security and Audit UsersConference, and Industrial Security Awareness Conference He has conducted and participated in infor-mation security seminars for (ISC)2, Frost & Sullivan, UCI, CSULB, System Exchange Seminars, and theInstitute for International Research He is currently serving as editor of the Information Security Man- agement Handbook.

Micki Krause, CISSP, has held positions in the information security profession for the past 20 years She

is currently the Chief Information Security Officer at Pacific Life Insurance Company in Newport Beach,California, where she is accountable for directing their information protection and security programenterprisewide Micki has held several leadership roles in industry-influential groups including theInformation Systems Security Association (ISSA) and the International Information System SecurityCertification Consortium, (ISC)2, and is a long-term advocate for professional security education andcertification In 2003, Krause received industry recognition as a recipient of the “Women of Vision” awardgiven by Information Security magazine In 2002, Krause was honored as the second recipient of theHarold F Tipton Award in recognition of sustained career excellence and outstanding contributions tothe profession She is a reputed speaker, published author, and co-editor of the Information Security Management Handbook series

Trang 13

Trang 14

Contributors

Ioana V Bazavan, CISSP, is the Manager of Information Security Access Services at Safeway, Inc She

manages a team of 18 people who are charged with providing systems access to all of Safeway’s users and

applications She has been heavily involved in the design and implementation of Safeway’s Identity

Management strategy and technologies Previously, Ioana was a manager in Accenture’s global security

practice, specializing in holistic security solutions that focus on users and organizations, as well as on

systems She gained extensive experience in security policy, standards, and process design and

imple-mentation; compliance solutions based on industry and regulatory standards; security organization

design; user training and awareness; incident response; risk assessment; user management systems;

infrastructure security; systems development methodology; and security strategy Ioana has industry

experience in financial services, government, high-tech, resources, and retail

Gerald Bowman is currently the North American Director of ACE and Advanced Technologies for

SYSTIMAX® Solutions for the design professional community and advanced technology in the corporate

enterprise Jerry joined the SYSTIMAX team from Superior Systems Technologies, where he was Chief

Operating Officer Prior to that, he was Vice President of Engineering for Riser Management Systems, a

telecommunications design, engineering, management, and consulting firm responsible for consulting

engineering projects for 78 of the tallest buildings in the United States, including 12 Carrier Hotels,

numerous data centers for ISPs, high-end telecom real estate, and other corporate enterprises

Al Bredenberg is a writer, Web developer, and Internet marketing consultant He is author of The Small

Business Guide to Internet Marketing and editor of The NET Results News Service, both of which are

electronic publications available over the Internet He can be reached at ab@copywriter.com or through

his World Wide Web site at http://www.copywriter.com

Samuel W Chun, CISSP, is Director of Network Services at Digital Support Corporation, a TechTeam

Global Company

Ian Clark is Head of IT Quality Assurance for GE Consumer Finance While at Nokia, he was the Security

Portfolio Manager for Nokia’s business infrastructure, working on global security projects Prior to Nokia,

he worked for EDS and spent 11 years in the British army specializing in secure communications

Jeffrey Davis, CISSP, has been working in information security for the past ten years He is currently a

senior manager at Lucent Technologies and is involved with intrusion detection, anti-virus, and threat

assessment He holds a bachelor’s degree in electrical engineering and a master’s degree in computer

science from Stevens Institute of Technology

Ken Doughty is the Manager of Disaster Recovery for Colonial, one of Australia’s largest financial

institutions in the banking, insurance, and investment services sector He has over 20 years of information

Trang 15

systems auditing experience and 12 years business continuity planning experience in the public and

private sectors

Todd Fitzgerald, CISSP, CISA, CISM, is the Director of Systems Security and Systems Security Officer

for United Government Services, LLC He has over 25 years of broad-based information technology

experience and has held senior information technology management positions with Fortune 500 and

Global Fortune 250 companies Todd is a member of the Board of Directors and security taskforce

co-chair for the HIPAA Collaborative of Wisconsin (HIPAA COW); a participant in the CMS/Gartner

Security Best Practices Group, Blue Cross Blue Shield Association Information Security Advisory Group;

a previous board member for several information systems security associations; and a frequent speaker

and writer on security issues Todd focuses largely on issues related to security management, risk

assess-ments, policy development, organizing security, security assessassess-ments, regulatory compliance (HIPAA,

CAST, NIST, ISO17799), security awareness, and developing security programs Todd can be reached at

todd_fitzgerald@yahoo.com

Stephen D Fried, CISSP, CISM, is the Vice President for Information Security and Privacy at Metavante

Corporation He is a seasoned information security professional with over 20 years’ experience in

information technology For the past ten years he has concentrated his efforts on providing effective

information security management to large organizations Stephen has led the creation of security

pro-grams for two Fortune 500 companies and has extensive experience in such diverse security issues as risk

assessment and management, security policy development, security architecture, infrastructure and

perimeter security design, outsource relationship security, offshore development, intellectual property

protection, security technology development, business continuity, secure E-business design, and

infor-mation technology auditing A frequent speaker at conferences in the United States and internationally,

Stephen is active in many security industry organizations

Robby Fussell is at the School of Computer and Information Sciences at Nova Southeastern University

in Fort Lauderdale, Florida

Bonnie A Goins, BS7799 Certified Lead Auditor, CISSP, CISM, GIAC, ISS, NSA IAM, is a Principal

Consultant with HotSkills, Inc As a Senior Security Strategist at Isthmus Group, Inc., she was the

co-practice leader for IGI’s Security Practice She has over 15 years of experience in the areas of information

security; secure network design and implementation; risk, business impact, and security assessment

methods; project management; executive strategy and management consulting; and information

tech-nology She also has extensive working experience in regulated industries She has functioned as a National

Security Practice competency leader for multiple companies and has also established premier partnerships

with Novell and Microsoft, across the business continuity/disaster recovery and security disciplines She

is a coauthor of the Digital Crime Prevention Lab and a contributing reviewer for SANS’ HIPAA

Step-by-Step.

Sasan Hamidi, Ph.D., is Chief Security Officer at Interval International, Inc.

Gilbert Held is an award-winning author and lecturer Gil is the author of over 50 books and 500 technical

articles Some of Gil’s recent publications include Building the Wireless Office and The ABCs of TCP/IP,

both published by Auerbach Publications Gil can be contacted via e-mail at gil_held@yahoo.com

Trang 16

Paul Henry, CISSP, is Senior Vice President of CyberGuard Corporation He has more than 20 years’

experience with security and safety controls for high-risk environments such as nuclear power plantsand industrial boiler sites In addition, Paul has developed and managed security projects for majorgovernment and commercial organizations worldwide Paul has written technical papers on port scanningbasics, buffer over-runs, firewall architectures, and burner management and process controls for nuclearpower plants, as well as white papers on covert channel attacks, distributed denial of service (DDoS)attacks, common mode noise and common mode rejection, PLC programming, and buffer over-runs.Paul also frequently serves as a featured and keynote speaker at network security seminars and conferencesworldwide, presenting white papers on diverse topics, including DDoS attack risk mitigation, firewallarchitectures, intrusion methodology, enterprise security, and managed security services In addition tothe CISSP, Paul holds many other security certifications, including MCP+I, MCSE, CCSA, CCSE, CFSA,CFSO, CISM, and CISA

Rebecca Herold, CISM, CISA, CISSP, FLMI, is an information privacy, security, and compliance

con-sultant, author, and instructor Rebecca has over 15 years of information privacy, security, and regulatorycompliance experience and assists organizations of all sizes with their information privacy, security, andregulatory compliance programs Prior to owning her own business, Rebecca was Vice President of PrivacyServices and Chief Procurement Officer at DelCreo for two years Rebecca was also Senior SystemsSecurity Consultant at Principal Financial Group, where she was instrumental in building an informationsecurity and privacy program that was awarded the 1998 CSI Information Security Program of the Year

Rebecca is the author of The Privacy Papers (Auerbach, 2001) and Managing an Information Security and Privacy Training and Awareness Program (Auerbach, 2005) and is co-author of The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach, 2003) and The Business Executive Practical Guides to Compliance and Security Risks book series in 2004 She can be reached at rebeccaherold@rebecca-

herold.com

Joseph T Hootman is President of Computer Security Systems, Inc., a computer and information security

consulting and product sales firm based in Northern California

Charles R Hudson, Jr., CISSP, CISM, is an Information Security Manager and Assistant Vice President

at Wilmington Trust Company Mr Hudson obtained the Certified Information Systems Security fessional (CISSP) designation in 2000 and the Certified Information Security Manager (CISM) designa-tion in 2003 He is a regular speaker at national conferences and has made presentations at over 15conferences in the last 5 years as a subject matter expert Mr Hudson has contributed to articles for

Pro-Computer World, Security Watch, and Information Security Magazine.

Carl Jackson, CISSP, CBCP, is Business Continuity Program Director with Pacific Life Insurance He is

a Certified Information Systems Security Professional (CISSP) with more than 25 years of experience inthe areas of continuity planning, information security, and information technology internal control andquality assurance reviews and audits Prior to joining Pacific Life, he worked with several informationsecurity consulting companies and as a partner with Ernst & Young, where he was the firm’s BCP LineLeader Carl has extensive consulting experience with numerous major organizations in multiple indus-tries, including manufacturing, financial services, transportation, healthcare, technology, pharmaceutical,retail, aerospace, insurance, and professional sports management He also has extensive industry businessinformation security experience as an information security practitioner and as a manager in the field of

Trang 17

information security and business continuity planning He has written extensively and is a frequent publicspeaker on all aspects of information security and business continuity planning He can be reached atcarl.jackson@pacificlife.com

Andy Jones is an experienced military intelligence analyst and information technology security specialist.

He has had considerable experience in the analysis of intelligence material in strategic, tactical, andcounter-insurgency operations, as well as a wide range of information systems management experience

In addition, he has considerable experience in the security of information technology systems, havingbeen responsible for the implementation of information technology security within all areas of the BritishArmy and in some joint service organizations He has directed both intelligence and security operationsand briefed the results at the highest level He was awarded the MBE for his work during his service inNorthern Ireland and has gained an Open University bachelor of science degree in mathematics andtechnology After completing 25 years service with the British Army’s Intelligence Corps, he moved intoresearch in information warfare and information security He has gained considerable experience as aproject manager within the U.K Defence Evaluation and Research Agency (DERA) for security aspects

of digitization of the battlefield initiative and has gained considerable expertise on the criminal andterrorist aspects of information security He is currently the business manager for the secure E-businessdepartment of QinetiQ, the privatized portion of DERA He holds a lecturership with the U.K OpenUniversity and is a visiting lecturer at the University of Glamorgan in a master of science program fornetwork security and computer crime

Gerald L Kovacich, Ph.D, CISSP, CFE, CPP, has over 37 years of industrial security, investigations,

information systems security, and information warfare experience in the U.S government as a specialagent; in business, as a technologist and manager for numerous technology-based, international corpo-rations as an ISSO, security, audit, and investigations manager; and as a consultant to U.S and foreigngovernment agencies and corporations He has also developed and managed several internationally basedInfoSec programs for Fortune 500 corporations and managed several information systems security orga-nizations, including providing service and support for their information warfare products and services

David C Krehnke, CISSP, ISSMP, CISM, CHS-III, IAM, is a Principal Information Security Analyst for

Northrop Grumman Information Technology in Raleigh, North Carolina He has more than 30 years ofexperience in assessment and implementation of information security technologies, policies, practices,procedures, and protection mechanisms in support of organizational objectives for various federal agen-cies and government contractors David has also served the International Information Systems SecurityCertification Consortium as a board member, vice president, president, and program director responsiblefor test development

Mollie E Krehnke, CISSP, CHS-II, IAM, is a Senior Information Security Consultant for Insight Global,

Inc., in Raleigh, North Carolina Mollie and her husband, David Krehnke, are members of the inventorteam for the Workstation Lock and Alarm System (U.S Patent No 6,014,746) Mollie has served as aninformation security consultant for more than 15 years

Paul Lambert is responsible for the development and implementation of Certicom’s product strategy to

meet and exceed current market demands, trends, and forecasts for cryptographic security technologies

He is currently a government appointee to a technical advisory committee for federal information

Trang 18

He holds bachelor of science degrees in both electrical engineering and computer science from theUniversity of Colorado, Boulder.

Larry R Leibrock, Ph.D., is with eForensics, Inc.

Ian Lim, CISSP, is Director of Enterprise Information Security at New Century Financial Corporation.

He works alongside the Information Security Officer to manage the Corporate Information Securitydepartment, develop corporatewide security policies, review and certify the security of enterprise archi-tectural components, and assure compliance with security-related regulations Previously, as a SeniorConsultant in Accenture’s global security practice, Ian worked in the healthcare, financial, government,telecommunications, and high-tech industries to provide information security expertise in the areas ofstrategy development, architectural designs, process definitions, and organizational planning

Bill Lipiczky has practiced in the information technology and security arena for over two decades,

beginning his career as a mainframe operator As information technology and security evolved, he evolved

as well His experience includes networking numerous operating systems (UNIX, NetWare, and Windows)and networking hardware platforms He currently is a principal in a security consulting and managementfirm as well as a lead CISSP instructor for the International Information System Security CertificationConsortium

Perry G Luzwick is Director, Information Assurance Architectures, at Northrop Grumman Information

Technology for information warfare, information assurance, critical infrastructure protection, and edge management Perry served as a Lieutenant Colonel in the U.S Air Force and was Military Assistant

knowl-to the Principal Deputy Assistant Secretary of Defense for Command, Control, Communications, andIntelligence; Deputy Director for Defensive IO, IO Strategy, and Integration Directorate; Chief, Infor-mation Assurance Architecture, Directorate for Engineering and Interoperability, Defense InformationSystems Agency (DISA); Deputy Chief, Current Operations and Chief, Operations and InformationWarfare Integration, Operations Directorate, DISA; Information Assurance Action Officer, InformationAssurance Division (J6K), the Joint Staff; and Chief, JCS, CINC, and Defense Agency Communica-tions–Computer Security Support, National Security Agency

George G McBride, CISSP, is the Senior Manager of Lucent Technologies’ Global Risk Assessment and

Penetration Testing group in Holmdel, New Jersey, and has worked in the network security industry formore than six years George has spoken at conferences worldwide on topics such as penetration testing,risk assessments, and open source security tools He has consulted to numerous Fortune 100 companies

on projects including network architecture, application vulnerability assessments, and security zation development George has a bachelor’s degree in electronic engineering and a master’s degree insoftware engineering

Trang 19

Lynda L McGhie, CISSP, CISM, is the Information Security Officer/Risk Manager for Wells Fargo Bank,

Private Client Services (PCS) Lynda has over 23 years of information technology and information securityexperience, specializing in risk management and compliance, security engineering and design, businesscontinuity planning and crisis management, network security, and identity management Lynda wasformerly the Chief Information Security Officer for Delta Dental and Lockheed Martin Corporation Inher current role, she is responsible for risk management for PCS within the Wells Fargo Corporationand has a dotted-line responsibility to the corporate CISO/IT security governance Lynda regularlypublishes articles on state-of-the-art security topics and issues and is also a regular speaker for MIS, ISSA,ISACA, and other information technology and security venues

James S Mitts, CISSP, is a Principal Consultant with Vigilant Services Group who has over 18 years of

demonstrated ability in managing, planning, implementing, and controlling complex projects involvingnumerous aspects of business continuity, disaster recovery, and information technology and security Heholds a bachelor of science degree in professional management from Nova University

Ron Moritz is director of the Technology Office at Finjan Software, where he serves as primary technology

visionary As a key member of the senior management team interfacing between sales, marketing, productmanagement, and product development, Moritz helps establish and maintain the company’s technologicalstandards and preserve the company’s leadership role as a developer of advanced Internet securitysolutions He was instrumental in the organization of Finjan’s Java Security Alliance and established andcurrently chairs Finjan’s Technical Advisory Board He is one of a select group of Certified InformationSystems Security Professionals, and he earned his master of software engineering, master of businessadministration, and bachelor of arts from Case Western Reserve University in Cleveland, Ohio Moritzhas served in various capacities, including president, with both the North Coast chapter of the Informa-tion Systems Security Association and the Northeast Ohio chapter of the Information Systems Audit andControl Association He has lectured on Web security, mobile code security, computer ethics, intellectualproperty rights, and business continuity and resumption planning Over the past year, his presentations

on mobile code security have been well received at the European Security Forum (London), the FBI’sInfraGuard Conference (Cleveland), CSI’s NetSec (San Antonio), MISTI’s Web-Sec Europe (London),and RSA Data Security (San Francisco)

Matt Nelson spent several years as a programmer, a network manager, and an IT director He now does

information security and business process consulting for International Network Services He has abachelor’s degree in computer science from Texas A&M University and a master’s in technology man-agement from The University of Texas at San Antonio His certifications include the CISSP, PMP, andITIL Foundation certifications

Man Nguyen, CISSP, is a Security Consultant at Microsoft Corporation.

Felicia M Nicastro, CISSP, CHSP, is a Principal Consultant with International Network Services (INS).

Felicia has worked with various Fortune 500 companies over the four years she has been with INS Herareas of expertise include security policies and procedures, security assessments and security architectureplanning, design, implementation, and operation Prior to joining INS, Felicia was a systems adminis-trator for the Associated Press, responsible for UNIX and security administration Felicia earned herbachelor’s degree in management information systems from Stockton College in New Jersey Her e-mailaddress is felicia.nicastro@ins.com

Trang 20

Michael Pike, ITIL, CISSP, is an information security consultant working for a large local government

organization in the United Kingdom He started working in information technology over 14 years agoand spent several years in end-user support and information technology operations before moving toinformation security full time Michael has worked for a variety of public and private sector organizations

in the North of England His experience includes security analysis, forensic work, and incident response.Michael can be contacted at mphism@yahoo.co.uk

Christopher A Pilewski, CCSA, CPA/E, FSWCE, FSLCE, MCP, is a Senior Security Strategist at Isthmus

Group, Inc He has over 14 years of professional experience in networking technology, engineering, audit,security, and consulting This experience spans security, risk assessment and mitigation, business process,technical controls, business continuity, technical project leadership, design, and integration of networkand information systems Prior to joining the Isthmus Group, he worked for three flagship communi-cations companies where he led a wide variety of projects in security assessments, implementation ofsecurity systems, secure network architecture, network management systems, quality control/assurance,protocol analysis, and technical marketing

Ralph Spencer Poore, CFE, CISA, CISSP, CHS-III, Principal Consultant, Innovè, LLC, and Senior

Part-ner, Pi R Squared Consulting, LLP, provides security, privacy, and compliance consulting services, tinuing a 30-plus-year distinguished career in information security as an inventor, author, consultant,CISO, CTO, college instructor, and entrepreneur He has published widely, including articles on infor-

con-mation security issues in the Inforcon-mation Security Management Handbook and in Inforcon-mation Systems Security (where he was a past consulting editor) He served in numerous capacities with (ISC)2, including

as a past International president, as founding chairman of the Test Development Committee, and aschairman of the Governance Committee He currently serves on the Professional Conduct Committee,the CBK Committee, and the Americas Advisory Board

Sean M Price, CISSP, is an independent information security consultant located in the Washington,

D.C., area He provides security consulting and engineering support for commercial and governmententities His experience includes nine years as an electronics technician in metrology for the U.S AirForce He has earned a bachelor’s of science degree in accounting and a master’s of science degree incomputer information systems Sean is continually immersed in research and development activities forsecure systems His e-mail address is sean.price@sentinel-consulting.com

Marcus K Rogers, Ph.D., CISSP, CCCI, is with the Department of Computer Technology at Purdue

University

Georgina R Roselli is a member of the faculty at the College of Commerce and Finance at Villanova

University

Ben Rothke, CISSP, CISSM, is a New York City-based senior security consultant with ThruPoint, Inc., and

has over 15 years of industry experience in the area of information systems security His areas of expertiseare in PKI, HIPAA, 21 CFR Part 11, security and privacy regulatory issues, design and implementation ofsystems security, encryption, firewall configuration and review, cryptography, and security policy devel-

opment Ben is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2003) and a contributing author to Network Security: The Complete Reference (McGraw–Hill Osborne, 2003) and Information Security Management Handbook (Auerbach, 1999) He can be reached at

brothke@hotmail.com

Trang 21

Thomas J Schleppenbach, CISSP, CISM, SCTA, is a Senior Information Security Advisor for MPC

Solutions in Waukesha, Wisconsin With over 16 total years of information technology experience, Tom

is a trained Computer Forensics investigator who focuses on assisting organizations with secure structure design and provides strategic security advice to help organizations plan and build informationsecurity programs for compliance with legal and regulatory requirements Tom is a member of the WesternWisconsin Chapter of InfraGard Executive planning committee and a member of the Wisconsin Associ-ation of Computer Crime Investigators and has worked with schools and school districts to educatechildren on how to stay safe online He can be reached at tschleppenbac@mpccorp.com

infra-Ken M Shaurette, CISSP, CISA, CISM, is an Information Security Solutions Manager for MPC Security

Solutions practice located in Pewaukee, Wisconsin Ken has been in information technology since 1978.Since 1985, Ken has worked at several organizational levels providing information security and auditadvice and vision for organizations building information security programs in several different industriesand for Fortune 500 organizations Ken holds several security certifications and is certified in the NSAsInfoSec Assessment Methodology As a frequent speaker at regional and national seminars and confer-ences, Ken has also contributed white papers and other articles on security Ken is the chairman of theInformation Security Specialist Advisory Board for Milwaukee Area Technical College, president of theWestern Wisconsin Chapter of InfraGard, president of International Systems Security Association–Mil-waukee Chapter, a member of the Wisconsin Association of Computer Crime Investigators, and co-chair

of the HIPAA-COW (Collaborative of Wisconsin) Security Workgroup; he has also been the co-chair forthe Wisconsin InfraGard KIS (Kids Improving Security) poster contest

Janice C Sipior is a member of the faculty at the College of Commerce and Finance at Villanova

University Janice can be reached at janice.sipior@villanova.edu

Ed Skoudis, CISSP, is a senior security consultant with Intelguardians Network Intelligence Ed’s expertise

includes hacker attacks and defenses, the information security industry, and computer privacy issues Hehas performed numerous security assessments, designed secure network architectures, and responded tocomputer attacks for clients in the financial, high-technology, healthcare, and other industries Ed is afrequent speaker on issues associated with hacker tools and defenses and has published several articles

on these topics, as well as Malware and Counter Hack Ed is also author of the popular “Crack the Hacker

Challenge” series, which challenges InfoSec professionals to learn from others’ mistakes Additionally, Edconducted a demonstration of hacker techniques against financial institutions for the U.S Senate Hisprior work experience includes Bell Communications Research (Bellcore), SAIC, Global Integrity, andPredictive Systems

Robert M Slade, MS, CISSP, is a data communications and security specialist from North Vancouver,

British Columbia, Canada He has both formal training in data communications and exploration withthe BBS and network community and has done communications training for a number of the international

commercial seminar firms He is the author of Robert Slade’s Guide to Computer Viruses (Springer–Verlag,

1996) He earned a bachelor of science degree at the University of British Columbia, and a master’s fromthe University of Oregon He is the founder of the DECUS Canada Education and Training SIG

Bill Stackpole, CISSP, CISM, is an Engagement Manager with Microsoft Corporation.

Stan Stahl, Ph.D., is President of Citadel Information Group, Inc.

Trang 22

Carol Stucki is working as a technical producer for PurchasePro.com, a rapidly growing dot.com company

that is an application service provider specializing in Internet-based procurement Carol’s past experiencesinclude working with GTE, Perot Systems, and Arthur Andersen as a programmer, system analyst, projectmanager, and auditor

Jim Tiller, CISM, CISA, CISSP, is Chief Security Officer and Managing Vice President of Security Services

for International Network Services (INS) Jim has been with INS since 1998 and has provided security

solutions for global organizations for the last 13 years He is the author of The Ethical Hack: A Framework for Business Value Penetration Testing (Auerbach, 2003) and A Technical Guide to IPSec Virtual Private Networks (Auerbach, 2000) and editor of Information Systems Security.

Burke T Ward is a member of the faculty at the College of Commerce and Finance at Villanova University William A Yarberry, Jr., CPA, CISA, is a principal with Southwest Telecom Consulting He is the author

of Computer Telephony Integration (Auerbach, 2002) and co-author of Telecommunications Cost ment (Auerbach, 2002) He welcomes reader comments (Yarberry@SouthwestTelecomConsulting.com).

Trang 23

Manage-This page intentionally left blank

Trang 24

Introduction

The landscape of information security has changed The bad news: It is more nebulous than ever before

No longer can chief information security officers work solely within the confines of their organizations’security policies or their industry-specific regulatory mandates and feel comfortable that the depth andefficacy of their program will not be second guessed As current events unfold, established institutionssuch as Bank of America, Lexis-Nexis, and Choicepoint watch as their reputations come into questionand their names are plastered on the front pages of the national media Regardless of the incidentaldetails, be they business process fraud or third-party errors and omissions, all of the events to date havebeen publicized as “security breaches.” Does this mean that the chief information security officer is the

individual who is accountable for the deficiencies? If not, who is? What role does the chief information

security officer play in this extraordinarily complex and imprecise environment?

Prompted by current events, legislators hold committee hearings and continue to probe, asking sant questions about the adequacy of information security and protection programs as theyweigh in onthe adoption of additional federal and state regulations relative to widely publicized events such as identitytheft At the same time, threats such as external hacking endanger the security of organizations’ infra-structures Although the data indicates that companies are adopting more robust security postures at theperimeter, the enemy continues to get smarter and the security professional continues to look for a bettermousetrap Moreover, immature control disciplines on, for example, Web application developmentintroduce newer, potentially exploitable vulnerabilities, such as cross-site scripting and buffer overflows

inces-So, as custodians and guardians of a broad spectrum of information assets, what are we to do? Enter

the Information Security Management Handbook, the mission of which is to arm readers so they are

prepared to do battle in this exciting yet taxing environment The multitude of authors who havecontributed to this handbook delve into detail on the ten domains of the information security commonbody of knowledge, providing technical, people-based, and process-based solutions for many of the samesituations that the readers routinely encounter Our goal is to empower readers with pragmatic counsel

so they can establish a defensible standard of due care in their own organizations

As always, this volume balances contemporary articles along with relevant articles from past editions

We offer this compilation of information, representing hundreds of years of accumulated experience andknowledge, so our readers can fight the good fight and triumph over the various and sundry challengesfacing all of us

Good Luck,

Hal Tipton and Micki Krause

Trang 25

Trang 26

Domain 1 Access Control Systems and Methodology

Trang 27

2 Information Security Management Handbook

According to Webster’s Dictionary, control is a method to “exercise restraining or directing influenceover.” Organizations use controls to regulate and define the limits of behavior for their workforces,operations, processes, and systems Access control is comprised of the processes and supporting tech-nical tools used to enforce the fundamental principle of least privilege, which ensures that appropriateaccess is granted for only those resources required for performance of a job Access controls can be (1)user based, (2) role based, or (3) user and role based [Ample justification exists for beginning thehandbook with the fundamental concept of controlling access to resources Absent access controls,organizations have little if any assurance that information will be used or disclosed in other than anauthorized manner.]

Trang 28

Access Control Systems and Methodology 3

Contents

1 Sensitive or Critical Data Access Controls 5

Mollie E Krehnke and David C Krehnke

2 An Introduction to Role-Based Access Control 17

5 Identity Management: Benefits and Challenges 51

Lynda L McGhie

Trang 29

Trang 30

1 Sensitive or Critical Data Access Controls

Mollie E Krehnke and David C Krehnke

Introduction

Corporations have incredible amounts of data that is created, acquired, modified, stored, and transmitted.This data is the life blood of the corporation and must be protected like any other strategic asset Thecontrols established to prevent unauthorized individuals from accessing a company’s or a customer’s datawill depend on the data itself and the laws and regulations that have been enacted to protect that data

A company also has proprietary information, including research, customer lists, bids, and proposals —information the company needs to survive and thrive A company also has personal, medical, and financialinformation and security-related information such as passwords, physical access control and alarmdocumentation, firewall rules, security plans, security test and evaluation plans, risk assessments, disasterrecovery plans, and audit reports Suppliers and business partners may have shared their proprietaryinformation to enable business processes and joint ventures Appropriate access controls should beimplemented to restrict access to all of these types of information The effectiveness of any control willdepend on the environment in which it is implemented and how it is implemented

The need to protect individual, business, financial, and technology data in the United States has becomeparamount in the last 40 years because of the impact of unauthorized disclosure of such information.Key examples are the Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), theSarbanes–Oxley Act (SOX), the Department of State International Traffic in Arms Regulations (ITAR),and the Department of Commerce Export Administration Regulations (EAR) The presence of thislegislation regarding the protection of certain types of information has mandated the implementation

of security controls in many sectors of the U.S economy Companies are required to show due diligence

in the protection of such information, which is a worthwhile objective, given the impact on an individual,

a company, or the nation if this information is disclosed

Depending on the legislation, the ramifications associated with noncompliance may be minimal orvery significant The penalty for the unlawful export of items or information controlled under the ITAR

is up to ten years’ imprisonment or a fine of up to $1,000,000, or both, for criminal charges; civil chargeshave fines up to $500,000 per violation The penalty for the unlawful export of items or informationcontrolled under the EAR is a fine of up to $1,000,000 or five times the value of the exports, whichever

is greater For an individual, the fine is imprisonment up to ten years or a fine of $10,000 to $120,000 perviolation, or both These are just the fines; not included are the costs of frequent reporting to the auditorsfor a designated time period regarding resolution of the data exposure and new corrective actions, damage

to the brand of the company, or loss of current or prospective customers who will go elsewhere for theirproducts and services The cost of controls to protect such information is likely to be considerably less

Trang 31

Identify the Organization’s Data and Its Characteristics

To identify the controls required to protect data, it is necessary to know what data the organization has.Some information may be more readily identified because human resources and finance departmentsand privacy offices have been identifying such data for a long time But, to be complete in an analysis ofcorporate data, it is necessary to document all business processes and the associated data What infor-mation is being created when the corporation builds a product, sells a product, or provides technicalsupport on a product to a customer?

When the data has been identified, it is then necessary to determine its characteristics Is it publicdata? Should access be restricted? Who can see and use the data? What persons cannot? Determiningwhat information has to be protected will depend on the expertise of the data owners, account managers,program managers, business managers, research directors, and privacy and legal staff (and possiblyothers) In some instances, government legislation and regulations for certain types of data change overtime, so a regular review of procedures and controls may be required to determine if the establishedcontrols are still appropriate For the purposes of this chapter, the terms “sensitive” or “restricted” dataare used to represent data that must be protected from access by individuals not authorized to have thatdata This chapter is not addressing the protection of classified data, although many of the controls beingdescribed are used in protecting classified data

Identify Data Owner and Data Custodians

After the company’s data has been determined, an individual who is responsible for that data must beidentified The data owner is a key resource in the definition of the company’s data, including the source,the type of data (personal, medical, financial), the business processes that use the data, the data form,the storage location of the data, and the means by which it is transmitted to others This individual isalso (ultimately) responsible for the integrity, confidentiality, and availability of the data under consid-eration The data custodian is the person (or organization) entrusted with possession of and responsibilityfor the security of the specified data and must apply the rules established to protect the data Thecooperation of these individuals is vital to the determination of information sensitivity and criticalityand the associated content-based data access controls

Determine Information Sensitivity and Criticality

The two information designation categories are sensitivity and criticality, and each category may havemultiple levels The number of levels will depend not only on the varying types of information requiringprotection but also on the protection measures available to protect a particular level of information.For example, if it is possible to implement only three levels of controls for a particular category because

of resource restraints, then having five levels for that category will be more differentiation than can beimplemented given those restraints In instances where several levels have been identified, only theprotection measures required for that specific level are applied to data associated with that level Thelevels of sensitivity and criticality are usually determined by conducting a business impact assessment(BIA)

Sensitivity reflects the need to protect the confidentiality and integrity of the information The imum levels of sensitivity are sensitive and nonsensitive Criticality reflects the need for continuousavailability of the information Here, the minimum levels are critical and noncritical Sensitivity andcriticality are independent designations All corporate information should be evaluated to determineboth its sensitivity and criticality Information with any criticality level may have any level of sensitivityand vice versa

Trang 32

min-Sensitive or Critical Data Access Controls 7

Involve Key Resources in the Definition of Access Controls

When the data designations have been established for a given set of data, the controls to protect mation with that sensitivity and criticality must then be defined The information security organizationwill not be able to establish controls unilaterally and will require the cooperation and input of the humanresources, legal, physical security, and information technology organizations — and, of course, seniormanagement — to make this happen These organizations will have to provide input regarding themandated controls for protecting the data, identification of individuals or groups of individuals who arepermitted to access the data, and what protective measures can be implemented and not adversely impactthe conduct of business Defining the required controls will also require knowledge of how the systemsare configured, where the information is located, and who has access to those systems This will requireknowledge of the organization’s enterprise information technology architecture and its security architec-ture in order to implement the appropriate physical and logical access controls All types of restricteddata can all be protected in the same way (system high), or the information can be grouped into differenttypes by content and data-dependent access controls specified

infor-Establish Personnel Controls

Identify Job Functions Requiring Access Restricted Data

In many cases, the ability to access data is defined by the individual’s job responsibilities; for example,human resources (HR) information is handled by HR specialists, medical information is handled bymedical staff, and insurance information is handled by claims specialists But, other company informationwill cross many organizational activities, including manufacturing, sales, and technical support forproducts sold Identifying who is handling restricted information in an organization is not an easy processand requires an in-depth understanding of the company’s business processes and data flows The dataaccess flows for a particular company depends on the demographics of the employees, characteristics ofthe data, business functions and associated processes, physical configuration of the business facilities,and information technology infrastructure characteristics and configuration

Screen Personnel Prior to Granting Access

Personnel accessing restricted information as part of their job responsibilities should have a level ofbackground screening that is based on the sensitivity and criticality of the information Data that has ahigher sensitivity or higher criticality should be accessed only by trustworthy individuals, and this mayrequire a more extensive background screening process Individuals providing support to applications,systems, or infrastructure — for the organization or for a customer — should also meet the establishedaccess requirements This would include employees and consultants who are providing administrative

or technical support to the company databases and servers With off-shore technical support beingprovided for many commercial off-the-shelf (COTS) products and company services, there is a greaterrisk that unauthorized individuals may, inadvertently, have access to restricted information

Trang 33

Establish Physical Security Controls

Legislation and federal regulations may mandate that an individual who does not have authorizedaccess to information cannot be provided with an “opportunity” to access that information; whether

or not the individual would try to access the information has no bearing on this requirement — thepossibility for exposure must not exist What does this mean for the organization and its businessprocesses?

Group Employees Working on Restricted Information

If possible, group individuals requiring access to a particular type of restricted information by floors orbuildings This reduces the opportunity for access by unauthorized individuals If floors in a multiple-story building contain restricted information, badge readers can be installed to permit access to particularfloors or corridors Personnel granted access should not allow unauthorized persons to tailgate on theirbadges Badge readers can also be installed in elevators that only permit access to certain floors byindividuals with badges for those areas Of course, persons exiting at a given floor must ensure that onlyauthorized persons leave the elevator on that floor

Define and Mark Restricted Areas

Persons who need to use restricted data as part of their job responsibilities should be physically separatefrom other employees and visitors in order to prevent inadvertent access to restricted data Areas ofrestricted access should be defined based on employee job functions and marked with signs indicatingthat the area is a controlled access area, with a point of contact and telephone number for questions orassistance

Implement Badge Readers

Each area containing restricted data should be controlled by a guard and hardcopy access control log or

by a badge or biometric reader to grant and document access The badge reader could be a contact reader

or a proximity reader

Provide Secure Storage for Data

Employees using restricted data as part of their work responsibilities need to a have a secure location tostore that information when it is not in use This storage could be locked drawers and cabinets in theemployee’s work space or specifically created access-controlled filing areas

Install Alarms

Install physical alarms in restricted areas to alert guards regarding unauthorized physical access Installelectronic alarms on devices on the networks to alert security administrators to unauthorized access.Ensure that trained individuals are available to readily respond to such an alarm and reduce, if not resolve,the impact of the unauthorized access

Mark Hardcopy and Label Media

Restricted information, whether in electronic or nonelectronic format, should be legibly and durablylabeled as “RESTRICTED INFORMATION.” This includes workstation screen displays, electronic media,and hardcopy output The copy number and handling instructions should be included on hardcopydocuments

Trang 34

Sensitive or Critical Data Access Controls 9

Establish Management Controls

Develop Content-Dependent Access Control Policies and Procedures

Policies provide high-level direction and set management expectations, and procedures provide the by-step instructions for controlling access It is human nature for users to perform tasks differently andinconsistently without proper direction Inconsistent task performance increases the potential for unau-thorized (accidental or intentional) access to take place An acceptable and appropriate use policy setsmanagement’s expectations concerning the protection of sensitive and critical information and the work-related use of e-mail and the Internet, as well as browsing, modifying, or deleting information belonging

step-to others

Establish Visitor Controls

Visitors may be required to access individuals and information residing in a restricted area Before thevisitor can be granted access to the area, it is important to document the purpose of the visit, determineneed-to-know and fulfillment of legislative requirements, and provide a trained escort for the visitor.Information about a visitor, such as the purpose of the visit, employer (or organization the visitorrepresents), proof of citizenship, need-to-know, length of visit, and point of contact at the company,should be reviewed, approved, documented, and maintained by a security organization If proof ofcitizenship is necessary, the visitor should bring a passport, birth certificate, or notarized copy of eitherfor a security officer to review and verify If a birth certificate is used, the individual should also bringgovernment proof of identity (e.g., driver’s license)

A company should not allow individuals access to the company who have arrived at the last minute

as part of a larger group from another organization This is a common practice used by industrialespionage specialists, and it is quite effective because general courtesy would make it seem rude to excludethat person

The escort for a visitor should be an individual who has an understanding of the information beingrequested, discussed, or presented and can make an accurate determination as to whether or not thevisitor can receive, hear, or see the information The escort should be prepared to remain with thatindividual throughout the visit or identify another appropriate employee who can assume the escortresponsibilities as required

Secure storage for a visitor’s unauthorized personal items should be provided Depending on thesensitivity of the visit and the information being discussed, visitors may not be permitted to bring cellularphones, camera phones, pagers, personal digital assistants (PDAs), laptop computers, or other datacollection instruments into the restricted areas

Secure visitor passage corridors should be established A walk-through prior to the visit can be used

to verify that restricted information is properly secured Escorts assigned to visitors should ensure thatthe visitors are not exposed to information for which they are not authorized, such as on whiteboards

in meeting rooms or employee cubicles, in conversations overheard in hallways or breakrooms, or indocuments in employee cubicles The escort should control tour groups to prevent one or more indi-viduals from breaking away from the group to pursue unauthorized discussions or observations

Prevent Information Leakage at External Gatherings

Presentations and presentation materials for trade shows, conferences, and symposiums should beapproved in advance Attendees should be instructed about what topics can and cannot be discussed.Employees should be trained on the risks of discussing business functions or products with family, friends,colleagues, and acquaintances

Trang 35

in most large organizations For organizations with large data warehouses, data views are preapprovedfor various role-based groups Content-based access control uses an arbiter program to determinewhether a subject with discretionary access to a file can access specific records in the file This modelprovides greater granularity than simple file access Similar granularity is available using views for access

to a database Regardless of the access control model used, the design of access controls should be based

on the principle of least privilege, and the continuing need for access should be revisited on an annualbasis for each individual

Establish Enterprise Security Architecture

Require Approved Hardware and Software

To ensure the integrity of the computing infrastructure and the associated information, hardware andsoftware should be standardized and controlled by an information technology governance committee ororganization; that is, the hardware and software should be on the approved list and only acquired fromapproved sources Personnel wishing to use hardware and software not on the list should first obtainapproval from the information technology governance committee or organization

Harden Computing Platforms

Hardening control standards should be implemented specific to each platform These standards should

be updated as new vulnerabilities are uncovered and updates are available Platforms should not bedeployed to a production environment prior to hardening Unnecessary services and applications should

be removed or disabled Unnecessary default accounts and groups should be removed or disabled.Computers should be configured to deny log-in after a small number of failed attempts Controls should

be configured to limit privileged access, update and execute access to software, and write access todirectories and files Guidelines should be established regarding a user’s password length and associatedformat complexity Security mechanisms, such as tokens or certificates, can be configured to strengthenthe system administrator authentication requirements

Track Hardware and Software Vulnerabilities

Vulnerability advisories involving the software and hardware in use within the corporation should betracked and corrective actions implemented as deemed appropriate Vulnerabilities within a Web servermight allow attackers to compromise the security of the servers and gain unauthorized access to resourceselsewhere in the organization’s network

Trang 36

Implement Configuration and Change Management

Changes to hardware and software configurations should be managed to ensure that informationresources are not inadvertently exposed to unnecessary risks and vulnerabilities All changes should beappropriately tested, approved, and documented Inappropriate configuration or improper operation of

a Web server may result in the disclosure of restricted corporate information, information about users

or administrators of the Web server including their passwords, or the configuration of the Web server

or network that could be exploited in subsequent attacks

Implement Software Security Features and Controls

Safeguards embedded in computer software should be activated to protect against compromise, sion, or unauthorized manipulation All features and files that have no demonstrable purpose should bedisabled or removed Default privileged log-on IDs, default passwords, and guest accounts should bedisabled or removed The use of administrative and root accounts for running production applicationsshould be prohibited Access to specific applications and files should be limited Access to systems softwareutilities should be restricted to a small number of authorized users Software that is unlicensed, borrowed,downloaded from online services, public domain shareware/freeware, or unapproved personal softwareshould not be installed

subver-Sanitize Memory and Storage To Remove Data Residue

Allocated computer memory of shared devices should be sanitized before being made available for thenext job (i.e., object reuse) Likewise, file storage space on shared devices should be sanitized before beingreassigned

Implement Virus Protection

Virus protection software should be installed and enabled Centralization of automatic updates ensuresthat the latest versions of virus detection software and signature files are installed

Implement Audit Logs

Audit logs should record significant operation-related activities and security-related events Audit logsmust be reviewed periodically for potential security incidents and security breaches The use of an auditreduction tool increases the efficiency and accuracy of the log review

Establish Separate Database Servers for Restricted Data

Corporate data is often stored in large databases or data warehouses that are accessible to all employeesand contractors, but not all employees and contractors should have access to the data The use ofknowledge discovery in database (KDD) tools for data exploration (often called data mining) in aniterative process can result in the discovery of “interesting” outcomes It is possible that those outcomescan support the inference or actual discovery of restricted information, even with individual identificationand authentication measures for data access in place Information systems and databases containingrestricted information should be separate from other servers, including Web and application servers, inorder to ensure that unauthorized individuals cannot gain access to restricted information Such databaseservers must also implement security controls appropriate for the level of sensitivity and criticality ofthe information they contain

Trang 37

Control Web Bots

Web bots (also known as agents or spiders) are software applications used to collect, analyze, and indexWeb content An organization may not want its Web site appearing in search engines or have informationdisclosed that it would prefer to remain private or at least unadvertised (e.g., e-mail addresses, personalInternet accesses)

Implement File Integrity Checkers

A file integrity checker computes and stores a checksum for every guarded file Where feasible, checksumsshould be computed, stored, and continually checked for unauthorized changes on restricted data

Implement Secure Enclaves

Information designated as restricted may be placed in a secure enclave Secure enclaves are network areaswhere special protections and access controls, such as firewalls and routers, are utilized to secure theinformation Secure enclaves apply security rules consistently and protect multiple systems across appli-cation boundaries Secure enclaves should employ protection for the highest level of information sensi-tivity in that enclave

Protect the Perimeter

The perimeter between the corporate network and the Internet should be protected by implementingfirewalls and demilitarized zones (DMZs) Firewalls should run on a dedicated computer with all non-essential firewall-related software, such as compilers, editors, and communications software, deleted Thefirewall should be configured to deny all services not expressly permitted, audit and monitor all servicesincluding those not permitted, detect intrusions or misuse, notify the firewall administrator in near realtime of any item that may require immediate attention, and stop passing packets if the logging functionbecomes disabled Web servers and electronic commerce systems accessible to the public must residewithin a DMZ with approved access control, such as a firewall or controlled interface Sensitive andcritical data should not reside within a DMZ All inbound traffic to the intranet from the DMZ must bepassed through a proxy-capable device

Control Business Partner Connections

When establishing third-party connections, access controls and administrative procedures should beimplemented to protect the confidentiality of corporate information and that of its business partnerswhen such information is maintained in the corporate network

Implement Operational Controls

Authenticate Users

Authentication can be based on something the user knows (password, personal identification number[PIN], or pass phrases), something the user holds (token), or some user characteristic (biometric).The use of PINs should be restricted to applications with low risk Passwords should be complex and

at least eight characters in length Personal passphrases are the preferred knowledge-based authenticatorbecause they can be 15 or more characters in length; they can be made more complex by the use ofupper- and lowercase alphabetic characters, numbers, and special characters; and they are easy toremember (i.e., they do not have to be written down) The number of unsuccessful authenticationattempts should be limited, and the user should just be told that the access attempt failed, not why itfailed

Trang 38

Implement Remote Access Controls

Where remote access is required, remote access security should be implemented Information resourcesrequiring remote access should be capable of strong authentication Remote access from a non-corporatesite should require users or devices to authenticate at the perimeter or connect through a firewall.Personnel outside corporate firewalls should authenticate at the perimeter In addition, personnel outsidecorporate firewalls should use an encrypted session, such as a virtual private network (VPN) or SecureSockets Layer (SSL)

Implement Intrusion Detection and Intrusion Prevention Systems

Intrusion detection and prevention systems should be implemented to detect and shutdown unapprovedaccess to information resources

Encrypt Restricted Information

Restricted information transmitted over untrusted networks should be encrypted Restricted informationstored on portable devices and media (e.g., backups) that leave a secured area should be encrypted.Depending on the level of sensitivity, it may also be prudent to encrypt information in storage

Implement Workstation Controls

Workstations should have an approved personal firewall installed Other security controls may include,but are not limited to, positioning screen to restrict viewing from passersby, lockable keyboard, powerlock, and desk-fastening hardware Computer sessions should time out after a period of inactivity andrequire reauthentication to continue the session The reauthentication can be a password, a token such

as a fob or smart card, or a biometric The location of the workstation and signal strength of the devicemust be considered for proximity fobs and smart cards to ensure that the session is not reactivated whenthe user and the user’s device are in an adjacent hallway, breakroom, restroom, etc because the signalmay not be attenuated by interior wall and cubicles

Implement Controls for Portable Devices

Portable devices must be protected against damage, unauthorized access, and theft All personnel whouse or have custody of portable devices, such as laptop computers, notebook computers, palm tops,handheld devices, wireless telephones, and removable storage media devices, are responsible for theirsafekeeping and the protection of any sensitive or critical information stored on them Laptop andnotebook computers should connect to the corporate intranet at least once a week to receive the latestsoftware patches, antivirus pattern recognition files, and personal firewall patterns In addition, sensitiveinformation on portable devices must be protected (e.g., encrypted) when leaving a secure environment

Release Information on Factory-Fresh or Degaussed Media

Before releasing information on electronic media outside the corporation, the information should becopied onto factory-fresh media (never used) or onto media appropriately degaussed to prevent theinadvertent release of restricted information

Implement Precautions Prior to Maintenance

To prevent inadvertent disclosure of restricted information, all hardware and electronic media beingreleased for maintenance outside of corporate facilities should, prior to release, undergo data eradication

or the corporation should have in place a legally binding contract with the contractor or vendor regardingthe secure handling and storage of the hardware and electronic media

Trang 39

Eradicate Electronic Hardware and Media Prior to Disposal

To prevent inadvertent disclosure of restricted information, all electronic hardware and media must,prior to being disposed of, undergo data eradication Unacceptable practices of erasure include a high-level file erase or high-level formatting that only removes the address location of the file Acceptablemethods of complete erasure include zero-bit formatting, degaussing, overwriting several times (thenumber depends on information sensitivity), and physical destruction

Remove Access on Terminations and Transfers

Routine separation of personnel occurs when an individual receives reassignment or promotion, resigns,retires, or otherwise departs under honorable and friendly conditions Unless adverse circumstances areknown or suspected, such individuals should be permitted to complete their assigned duties and followofficial employee departure procedures When personnel leave under nonadverse circumstances, theindividual’s manager, supervisor, or contracting officer must ensure that all accountable items, includingkeys, access cards, laptop computers, and other computer-related equipment are returned; the individual’scomputer log-on ID and building access authorizations must be terminated coincident with theemployee’s or contractor’s effective date of departure, unless needed in the new assignment; and allrestricted information, in any format, in the custody of the terminating individual must be returned,destroyed, or transferred to the custody of another individual

Removal or dismissal of personnel under involuntary or adverse conditions includes termination forcause, involuntary transfer, and departure with pending grievances In addition to the routine separationprocedures, termination under adverse conditions requires extra precautions to protect corporate infor-mation resources and property The manager, supervisor, or contracting officer of an individual beingterminated under adverse circumstances must ensure that the individual is escorted and supervised atall times while in any location that provides access to corporate information resources; immediatelysuspend and take steps to terminate the individual’s computer log-on IDs, physical access to informationsystems, and building access authorizations; ensure prompt changing of all computer passwords, accesscodes, badge reader programming, and physical locks used by the individual being dismissed; and ensurethe return of accountable items and correct disposition of “restricted information” as described underroutine separation

Train Users To Protect Restricted Data

Employees must be trained in the identification, marking, handling, and storage of restricted data Acompany with a large number of employees that handle restricted information should consider creating

an automated mechanism for training and tracking of training, so the security personnel are not boggeddown Security personnel should be available to answer questions, however Materials and periodicopportunities should be created to remind employees of their responsibilities to protect information andprovide annual refreshers

Destroy Information No Longer Needed

Hardcopy containing restricted information no longer needed should be cross shredded on site or stored

in a secure container for pickup by a service provider Electronic removable media containing restrictedinformation should be sanitized before reuse or destroyed

Trang 40

Monitoring for Compliance

Inspect Restricted Data Areas

Physical reviews of areas containing restricted data should be conducted to ensure the data is beingappropriately handled, marked, and stored Other areas of the company should be reviewed to ensurethat restricted data is not located in those spaces

Review Electronic Data Access

System and applications logs should be reviewed for intrusion and unauthorized access to restrictedinformation Access authorizations should also be reviewed periodically to ensure that individual’s who

no longer require access have been removed

Ramifications for Noncompliance

What will be the costs to a company for not implementing required information security controls? Whatfines would be imposed on its operations? Could the company be sued because exposure of an employee’spersonal information caused significant embarrassment or harm? Will the company’s image be tarnished?What would the costs be in terms of loss of customers? It is hoped that the experiences of others canprovide an incentive for action, although organizations must be prepared to address the “it can’t happenhere” attitude They will have to depend on the expertise of the data owners, account managers, programmanagers, business managers, research directors, and privacy and legal staff (and possibly others) notonly to determine what information has to be protected and how to protect it but also to help justifywhy it must be protected The controls that may have to be put into place to protect the company’s datamay seem extensive, but the costs associated with not protecting the information can be enormous

Định dạng
Số trang	711
Dung lượng	6,24 MB