Name: Nidhi N.

Shah
Roll no: 28
Subject: Cyber Security
Assignment 2

Q. 1 Discuss the various security management practices used for Information and network
security.
Answer:
Security management practices used for Information Security:
Practice 1: Recognize Information Resources as Essential Organizational assets that must
be protected
In particular, senior executive recognition of information security risks and interest in
taking steps to understand and manage these risks were the most important factors in
prompting development of more formal information security programs. Such high-level
interest helped ensure that information security was taken seriously at lower organizational
levels and that security specialists had the resources needed to implement an effective
program.

This contrasts with the view expressed to us by numerous federal managers and
security experts that many top federal officials have not recognized the indispensable
nature of electronic data and automated systems to their program operations. As a result,
security-related activities intended to protect these resources do not receive the resources
and attention that they merit.

In some cases, senior management's interest had been generated by an incident that
starkly illustrated the organization's information security vulnerabilities, even though no
damage may have actually occurred. In other cases, incidents at other organizations had
served as a "wake-up call." Two organizations noted that significant interest on the part of
the board of directors was an important factor in their organizations' attention to
information security. However, security managers at many of the organizations told us that
their chief executive officers or other very senior executives had an ongoing interest in
information technology and security, which translated into an organization wide emphasis
on these areas.

Although the emphasis on security generally emanated from top officials, security
specialists at lower levels nurtured this emphasis by keeping them abreast of emerging
security issues, educating managers at all levels, and by emphasizing the related business
risks to their own organizations.
Practice 2: Develop Practical Risk Assessment Procedures That Link

The organizations we studied had tried or were exploring various risk assessment
methodologies, ranging from very informal discussions of risk to fairly complex methods
involving the use of specialized software tools. However, the organizations that were the
most satisfied with their risk assessment procedures were those that had defined a
relatively simple process that could be adapted to various organizational units and involved
a mix of individuals with knowledge of business operations and technical aspects of the
organization's systems and security controls.

The manufacturing company had developed an automated checklist that asked

business managers and relevant staff in individual units a series of questions that prompted
them to consider the impact of security controls, or a lack thereof, on their unit's
operations. The results of the analysis were reported in a letter to senior management that
stated the business unit's compliance with the security policy, planned actions to become
compliant, or willingness to accept the risk. The results were also reported to the internal
auditors, who used them as a basis for reviewing the business unit's success in
implementing the controls that the unit's managers had determined were needed. Through
the reporting procedure, the business managers took responsibility for either tolerating or
mitigating security risks associated with their operations.

Such procedures provided a relatively quick and consistent means of exploring risk
with business managers, selecting cost-effective controls, and documenting conclusions and
business managers' acceptance of final determinations regarding what controls were
needed and what risks could be tolerated. With similar objectives in mind, the utility
company had developed a streamlined risk assessment process that brought together
business managers and technical experts to discuss risk factors and mitigating controls. 

Practice 3: Hold Program and Business Managers Accountable

"Holding business managers accountable and changing the security staff's role from
enforcement to service has been a major paradigm shift for the entire company." -Security
manager at a major equipment manufacturer

The organizations we studied were unanimous in their conviction that business

managers must bear the primary responsibility for determining the level of protection
needed for information resources that support business operations. In this regard, most
held the view that business managers should be held accountable for managing the
information security risks associated with their operations, much as they would for any
other type of business risk. However, security specialists played a strong educational and
advisory role and had the ability to elevate discussions to higher management levels when
they believed that risks were not being adequately addressed.
 Business managers, usually referred to as program managers in federal agencies, are
generally in the best position to determine which of their information resources are the
most sensitive and what the business impact of a loss of integrity, confidentiality, or
availability would be. Business or program managers are also in the best position to
determine how security controls may impair their operations. For this reason, involving
them in selecting controls can help ensure that controls are practical and will be
implemented.

Accordingly, security specialists had assumed the role of educators, advisors, and
facilitators who helped ensure that business managers were aware of risks and of control
techniques that had been or could be implemented to mitigate the risks. For several of the
organizations, these roles represented a dramatic reversal from past years, when security
personnel were viewed as rigid, sometimes overly protective enforcers who often did not
adequately consider the effect of security controls on business operations.

Practice 4: Manage Risk on a Continuing Basis

"Information security is definitely a journey, not a destination--there are always new

challenges to meet." - Chief information security officer at a major financial services
corporation

The organizations emphasized the importance of continuous attention to security to

ensure that controls were appropriate and effective. They stressed that constant vigilance
was needed to ensure that controls remained appropriate--addressing current risks and not
unnecessarily hindering operations--and that individuals who used and maintained
information systems complied with organizational policies.

Such attention is important for all types of internal controls, but it is especially
important for security over computerized information, because, as mentioned previously,
the factors that affect computer security are constantly changing in today's dynamic
environment. Such changing factors include threats, systems technologies and
configurations, known vulnerabilities in existing software, the level of reliance on
automated systems and electronic data, and the sensitivity of such operations and data.

Practice 5: Designate Dedicated Funding and Staff

Unlike many federal agencies, the central groups we studied had defined budgets,
which gave them the ability to plan and set goals for their organization's information
security program. At a minimum, these budgets covered central staff salaries and training
and security hardware and software. At one organization, business units could supplement
the central group's resources in order to increase the central group's participation in high
priority projects. While all of the central groups had staffs ranging from 3 to 17 people
permanently assigned to the group, comparing the size of these groups is of limited value
because of wide variations in the (1) sizes of the organizations we studied, (2) inherent
riskiness of their operations, and (3) the additional support the groups received from other
organizational components and from numerous subordinate security managers and
administrators.

In particular, no two groups were alike regarding the extent of support they received
from other organizational units. For example, the computer vendor relied on a security
manager in each of the organization's four regional business units, while the utility's nine-
member central group relied on 48 part-time information security coordinators at various
levels within the company. Some central groups relied heavily on technical assistance
located in another organizational unit, while others had significant technical expertise
among their own staff, and, thus, were much more involved in directly implementing and
testing controls.

Security management practices used for Network Security:

Practice 1: Network Security Management Requires a Macro View

Organizations need a holistic view of their network. With disparate vendor devices
and hosts, security teams need a normalized, comprehensive view of the network,
including: routing rules, access rules, NAT, VPN, etc.; hosts, including all products (and
versions), services, vulnerabilities, and patches; and assets, including asset groupings and
classifications.

With a comprehensive view of the network, security teams can view hosts in the
network, as well as configurations, classifications and other pertinent information. A
network map or model is both a useful visualization tool and a diagnostic tool, providing
analysis that is only possible when considering an overall view. For example, security and
compliance teams can use this macro view to see how data would move between points on
the network.

Additionally, it highlights information that is missing, such as hosts, access control list
(ACL) data, and more.  

Sophisticated analytics can be conducted quickly and accurately in a model-based

environment, without disrupting the live network. Access path analysis helps to validate
changes and can troubleshoot outages or connectivity issues, enhancing visibility and
improving security processes. “What-if” analysis indicates both accessible and blocked
destinations for designated data.

Practice 2: Daily Device Management Requires a Micro View

 Although the macro view is needed to see how all the pieces of the network fit
together, network administrators must also be able to drill down into the details for a
particular device, easily accessing information on rules, access policies, and configuration
compliance. And this information must be considered within the framework of the broader
network, including context such as segments or zones, routing, routers, switches, intrusion
prevention systems (IPS), and firewalls.

Information must be provided in a digestible fashion. The network components that

impact the device will undoubtedly come from various vendors, creating data of different
vendor languages that must be deciphered, correlated, and optimized to allow
administrators to streamline rule sets. For example, administrators need to be able to block
or limit access by application and view violations of these access policies.

Daily or weekly reviews of all devices on the network is unattainable with a manual
process, and reviewing device configurations less frequently puts network security and
compliance at risk. Automating policy compliance helps ensure compliance and consistency,
and preserves IT resources.

Ideally, a network modelling tool that provides a macro view should also allow
administrators to drill down into a micro view of each device, providing information on
users, applications, vulnerabilities, and more. This allows administrators to see the broader
network view and then focus in on particular devices for management.

Practice 3: Simulate Attacks for Context-Aware Risk Assessments

 Merely knowing the network vulnerabilities and their criticality is insufficient for
understanding the true level of risk to an organization. Today’s attacks often incorporate
multiple steps that cross several different network zones, and an isolated view of any of
these steps could appear innocuous.  

Attack simulation technology automatically looks at the holistic network – business

assets, known threats and vulnerabilities – and identifies what would happen if the
conditions were combined. Attack simulation can also evaluate potential options to block
an attack, providing intelligence for decision support. Understanding the likelihood of an
attack and its potential impact against valuable targets is the key to assessing which
vulnerabilities and threats post the most risk.

Attack simulation technology looks at network context, asset criticality, business

metrics, and existing security controls when determining the impact of a potential attack.
For example, if an asset runs an application that is crucial to maintaining the business and
requires continuous availability, a medium-level vulnerability that threatens to disable this
asset might be a high-level risk to this particular business.

The impact of deploying a particular security control must also be considered.

Keeping an IPS continually on active mode can impact network performance. Attack
simulation tools enable security teams to target use of their IPS protection, activating only
necessary signatures, maximizing performance, and prioritizing vulnerabilities.

Practice 4: Secure Change Management Is Critical  

Once a network is in compliance, a secure change management process is needed to

maintain continuous compliance and validate that planned changes do not introduce new
risk. Secure change management incorporates risk assessment in an orchestrated,
standardized process; flags changes outside of this structure, allows administrators to
reconcile flagged changes, and troubleshoots where needed. Secure change management
verifies that changes were implemented as intended, identifies when a change has
unintended consequences, and highlights unapproved changes.

For example, a change management process can flag when a network change will
expose vulnerabilities, when a firewall change opens access to risky services, or when there
is an unauthorized access path from a partner to an internal zone. More importantly, to
maintain network security, change management processes can be used to determine the
impact of a proposed change before implementing the change.

Implementing these four best practices for network security management can reduce
risk across the network. With visibility on both the network and device level, tremendous
amounts of data are translated into intelligence that deciphers complicated network
security transactions into manageable, actionable information. With this insight, attack
simulation can then prioritize vulnerabilities and eliminate the attack vectors that are most
critical to the organization, protecting business services and data. Finally, change
management can automate and optimize security processes to improve security and reduce
the security management workload.