2 pages apa style answer the question

 Distinguish between a policy, a standard, a baseline, a procedure, a guideline, and a plan. Identify policy elements and include the proper information in each element of a policy. 

Security Program and Policies
Principles and Practices

by Sari Stern Greene

Chapter 3: Information Security Framework

1

Copyright 2014 Pearson Education, Inc.
2
Objectives
Recognize the importance of the CIA security model and describe the security objectives of confidentiality, integrity, and availability
Discuss why organizations choose to adopt a security framework
Recognize the values of NIST resources
Understand the intent of ISO/IEC 27000-series of information security standards
Outline the domains of an information security program

2

Copyright 2014 Pearson Education, Inc.
3
CIA
The CIA Triad or CIA security model
Stands for Confidentiality, Integrity, and Availability
An attack against either or several of the elements of the CIA triad is an attack against the Information Security of the organization
Protecting the CIA triad means protecting the assets of the company

3

Copyright 2014 Pearson Education, Inc.
4
What Is Confidentiality?
Not all data owned by the company should be made available to the public
Failing to protect data confidentiality can be disastrous for an organization:
Dissemination of Protected Health Information (PHI) between doctor and patient
Dissemination of Protected Financial Information (PFI) between bank and customer
Dissemination of business-critical information to rival company

4

Copyright 2014 Pearson Education, Inc.
5
What Is Confidentiality? Cont.
Only authorized users should gain access to information
Information must be protected when it is used, shared, transmitted, and stored
Information must be protected from unauthorized users both internally and externally
Information must be protected whether it is in digital or paper format

5

Copyright 2014 Pearson Education, Inc.
6
What Is Confidentiality? Cont.
The threats to confidentiality must be identified. They include:
Hackers and hacktivists
Shoulder surfing
Lack of shredding of paper documents
Malicious Code (Virus, worms, Trojans)
Unauthorized employee activity
Improper access control

6

Copyright 2014 Pearson Education, Inc.
7
What Is Integrity? Cont.
Protecting data, processes, or systems from intentional or accidental unauthorized modification
Data integrity
System integrity
A business that cannot trust the integrity of its data is a business that cannot operate
An attack against data integrity can mean the end of an organization’s capability to conduct business

7

Copyright 2014 Pearson Education, Inc.
8
What Is Integrity? Cont.
Threats to data integrity include:
Human error
Hackers
Unauthorized user activity
Improper access control
Malicious code
Interception and alteration of data during transmission

8

Copyright 2014 Pearson Education, Inc.
9
What Is Integrity? Cont.
Controls that can be deployed to protect data integrity include:
Access controls:
Encryption
Digital signatures
Process controls
Code testing
Monitoring controls
File integrity monitoring
Log analysis
Behavioral controls:
Separation of duties
Rotation of duties
End user security training

9

Copyright 2014 Pearson Education, Inc.
10
What Is Availability?
Availability: The assurance that the data and systems are accessible when needed by authorized users
What is the cost of the loss of data availability to the organization?
A risk assessment should be conducted to more efficiently protect data availability

10

Copyright 2014 Pearson Education, Inc.
11
What Is Availability? Cont.
Threats to data availability include:
Natural disaster
Hardware failures
Programming errors
Human errors
Distributed Denial of Service attacks
Loss of power
Malicious code
Temporary or permanent loss of key personnel

11

Copyright 2014 Pearson Education, Inc.
12
The Five A’s of Information Security
Accountability
Assurance
Authentication
Authorization
Accounting

12

Copyright 2014 Pearson Education, Inc.
13
TheFive A’s of Information Security Cont.
Accountability
All actions should be traceable to the person who committed them
Logs should be kept, archived, and secured
Intrusion detection systems should be deployed
Computer forensic techniques can be used retroactively
Accountability should be focused on both internal and external actions

13

Copyright 2014 Pearson Education, Inc.
14
The Five A’s of Information Security Cont.
Assurance
Security measures need to be designed and tested to ascertain that they are efficient and appropriate
The knowledge that these measures are indeed efficient is known as assurance
The activities related to assurance include:
Auditing and monitoring
Testing
Reporting

14

Copyright 2014 Pearson Education, Inc.
15
The Five A’s of Information Security Cont.
Authentication
Authentication is the cornerstone of most network security models
It is the positive identification of the person or system seeking access to secured information and/or system
Examples of authentication models:
User ID and password combination
Tokens
Biometric devices

15

Copyright 2014 Pearson Education, Inc.
16
The Five A’s of Information Security Cont.
Authorization
Act of granting users or systems actual access to information resources
Note that the level of access may change based on the user’s defined access level
Examples of access level include the following:
Read only
Read and write
Full

16

Copyright 2014 Pearson Education, Inc.
17
The Five A’s of Information Security Cont.
Accounting
Defined as the logging of access and usage of resources
Keeps track of who accesses what resource, when, and for how long
An example of use:
Internet café, where users are charged by the minute of use of the service

17

Who Is Responsible for CIA?
Information owner
An official with statutory or operational authority for specified information
Has the responsibility for ensuring information is protected from creation through destruction
Information custodian
Maintain the systems that store, process, and transmit the information
Copyright 2014 Pearson Education, Inc.
18

Information Security Framework
Two of the most widely used frameworks are:
Information Technology and Security Framework by NIST
Information Security Management System by ISO
Copyright 2014 Pearson Education, Inc.
19

NIST Functions
Founded in 1901
Nonregulatory federal agency
Its mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve quality of life
Published more than 300 information security-related documents including
Federal Information Processing Standards
Special Publication 800 series
ITL bulletins
Copyright 2014 Pearson Education, Inc.
20

ISO Functions
A network of national standards institutes of 146 countries
Nongovernmental organization that has developed more than 13,000 international standards
The ISO/IEC 27000 series represents information security standards published by ISO and Electro-techinical Commission (IEC)
Copyright 2014 Pearson Education, Inc.
21

ISO 27002:2013 Code of Practice
Comprehensive set of information security recommendations on best practices in information security
ISO 27002:2013 is organized in the following domains:
Information security policies (Section 5)
Organization of information security (Section 6)
Human Resources security (Section 7)
Asset management (Section 8)
Access control (Section 9)
Cryptography (Section 10)
Physical and environmental security (Section 11)
Copyright 2014 Pearson Education, Inc.
22

ISO 27002:2013 Code of Practice cont.
Operations security (Section 12)
Communications security (Section 13)
Information systems acquisition, development, and maintenance (Section 14)
Supplier relationships (Section 15)
Information security incident management (Section 16)
Business continuity (Section 17)
Compliance management (Section 18)
Copyright 2014 Pearson Education, Inc.
23

Copyright 2014 Pearson Education, Inc.
24
Summary
The CIA triad is the blueprint of what assets needs to be protected to protect the organization.
Protecting the organization’s information security can seem vague and too conceptual. Protecting the confidentiality, integrit, and availability of the data is a concrete way of saying the same thing.
Standards such as the ISO 27002 exist to help organizations better define appropriate ways to protect their information assets.

24