1. Describe CNSS model.

(1, 7a)

The Committee on National Security Systems (CNSS) defines information security as the
protection of information and its critical elements, including the systems and hardware that
use, store, and transmit that information. Figure 1-3 shows that information security
includes the broad areas of information security management, computer and data security,
and network security. The CNSS model of information security evolved from a concept
developed by the computer security industry called the C.I.A. triangle. The C.I.A. triangle has
been the industry standard for computer security since the development of the mainframe.
It is based on the three characteristics of information that give it value to organizations:
confidentiality, integrity, and availability. The security of these three characteristics of
information is as important today as it has always been, but the C.I.A. triangle model no
longer adequately addresses the constantly changing environment.

2.2
 CNSS Security Model
The definition of information security presented in this text is based in part on the CNSS
document called the National Training Standard for Information Systems Security
Professionals NSTISSI No. 4011. (See www.cnss.gov/Assets/pdf/nstissi_4011.pdf. Since this
document was written, the NSTISSC was renamed the Committee on National Security
Systems (CNSS)—see www.cnss.gov. The library of documents is being renamed as the
documents are rewritten.) This document presents a comprehensive information security
model and has become a widely accepted evaluation standard for the security of
information systems. The model, created by John McCumber in 1991, provides a graphical
representation of the architectural approach widely used in computer and information
security; it is now known as the McCumber Cube. The McCumber Cube in Figure 1-6, shows
three dimensions. If extrapolated, the three dimensions of each axis become a 3x 3 x3 cube
with 27 cells representing areas that must be addressed to secure today’s information
systems. To ensure system security, each of the 27 areas must be properly addressed during
the security process. For example, the intersection between technology, integrity, and
storage requires a control or safeguard that addresses the need to use technology to protect
the integrity of information while in storage. One such control might be a system for
detecting host intrusion that protects the integrity of information by alerting the security
administrators to the potential modification of a critical file. What is commonly left out of
such a model is the need for guidelines and policies that provide direction for the practices
and implementations of technologies.

2. Write brief note on Information security.

Information security, sometimes shortened to InfoSec, is the practice of preventing
unauthorized access, use, disclosure, disruption, modification, inspection, recording or
destruction of information. The information or data may take any form, e.g. electronic or
physical. Information security's primary focus is the balanced protection of the
confidentiality, integrity and availability of data (also known as the CIA triad) while
maintaining a focus on efficient policy implementation, all without hampering organization
productivity.[2] This is largely achieved through a multi-step risk management process that
identifies assets, threat sources, vulnerabilities, potential impacts, and possible controls,
followed by assessment of the effectiveness of the risk management plan.
To standardize this discipline, academics and professionals collaborate and seek to set basic
guidance, policies, and industry standards on password, antivirus software, firewall,
encryption software, legal liability and user/administrator training standards. This
standardization may be further driven by a wide variety of laws and regulations that affect
how data is accessed, processed, stored, and transferred. However, the implementation of
 any standards and guidance within an entity may have limited effect if a culture of continual
improvement is not adopted.
3. Compare SDLC and security SDLC.

4. Explain Key Information Security Concepts

Key Information Security Concepts
Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or
object. Authorized users have legal access to a system, whereas hackers have illegal access
to a system. Access controls regulate this ability.
Asset: The organizational resource that is being protected. An asset can be logical, such as a
Web site, information, or data; or an asset can be physical, such as a person, computer
system, or other tangible object. Assets, and particularly information assets, are the focus of
security efforts; they are what those efforts are attempting to protect.
Attack: An intentional or unintentional act that can cause damage to or otherwise
compromise information and/or the systems that support it. Attacks can be active or
passive, intentional or unintentional, and direct or indirect. Someone casually reading
sensitive information not intended for his or her use is a passive attack. A hacker attempting
to break into an information system is an intentional attack. A lightning strike that causes a
fire in a building is an unintentional attack. A direct attack is a hacker using a personal
computer to break into a system. An indirect attack is a hacker compromising a system and
using it to attack other systems, for example, as part of a botnet (slang for robot network).
This group of compromised computers, running software of the attackers choosing, can
operate autonomously or under the attacker’s direct control to attack systems and steal user
information or conduct distributed denial-of-service attacks. Direct attacks originate from
the threat itself. Indirect attacks originate from a compromised system or resource that is
malfunctioning or working under the control of a threat.
Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that
can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve
the security within an organization.
Exploit: A technique used to compromise a system. This term can be a verb or a noun.
Threat agents may attempt to exploit a system or other information asset by using it illegally
for their personal gain. Or, an exploit can be a documented process to take advantage of a
vulnerability or exposure, usually in software, that is either inherent in the software or is
created by the attacker. Exploits make use of existing software tools or custom-made
software components.
Exposure: A condition or state of being exposed. In information security, exposure exists
when a vulnerability known to an attacker is present.
Loss: A single instance of an information asset suffering damage or unintended or
unauthorized modification or disclosure. When an organization’s information is stolen, it has
suffered a loss.
Protection profile or security posture: The entire set of controls and safeguards, including
policy, education, training and awareness, and technology, that the organization implements
(or fails to implement) to protect the asset. The terms are sometimes used interchangeably
with the term security program, although the security program often comprises managerial
aspects of security, including planning, personnel, and subordinate programs.
Risk: The probability that something unwanted will happen. Organizations must minimize
risk to match their risk appetite—the quantity and nature of risk the organization is willing
to accept.
Subjects and objects: A computer can be either the subject of an attack—an agent entity
used to conduct the attack—or the object of an attack—the target entity. A computer can be
both the subject and object of an attack, when, for example, it is compromised by an attack
(object), and is then used to attack other systems (subject).
Threat: A category of objects, persons, or other entities that presents a danger to an asset.
Threats are always present and can be purposeful or undirected. For example, hackers
purposefully threaten unprotected information systems, while severe storms incidentally
threaten buildings and their contents.
Threat agent: The specific instance or a component of a threat. For example, all hackers in
the world present a collective threat, while Kevin Mitnick, who was convicted for hacking
into phone systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or
tornado is a threat agent that is part of the threat of severe storms.
 Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to
attack or damage. Some examples of vulnerabilities are a flaw in a software package, an
unprotected system port, and an unlocked door. Some well-known vulnerabilities have
been examined, documented, and published; others remain latent (or undiscovered).
5. Explain about system development life cycle model.
The Systems Development Life Cycle
Information security must be managed in a manner similar to any other major system
implemented in an organization. One approach for implementing an information security
system in any system, especially an information security program, perform up to
expectations in the constantly changing environment in which it is placed.
The following sections describe each phase of the traditional SDLC.
Investigation
The first phase, investigation, is the most important. What problem is the system being
developed to solve? The investigation phase begins with an examination of the event or plan
that initiates the process. During the investigation phase, the objectives, constraints, and
scope of the project are specified. A preliminary cost-benefit analysis evaluates the
perceived benefits and the appropriate levels of cost for those benefits. At the conclusion of
this phase, and at every phase following, a feasibility analysis assesses the economic,
technical, and behavioural feasibilities of the process and ensures that implementation is
worth the organization’s time and effort.
Analysis
The analysis phase begins with the information gained during the investigation phase. This
phase consists primarily of assessments of the organization, its current systems, and its
capability to support the proposed systems. Analysts begin by determining what the new
system is expected to do and how it will interact with existing systems. This phase ends with
the documentation of the findings and an update of the feasibility analysis.
Logical Design
In the logical design phase, the information gained from the analysis phase is used to begin
creating a systems solution for a business problem. In any systems solution, it is imperative
that the first and driving factor is the business need. Based on the business need,
applications are selected to provide needed services, and then data support and structures
capable of providing the needed inputs are chosen. Finally, based on all of the above,
specific technologies to implement the physical solution are delineated. The logical design is,
therefore, the blueprint for the desired solution. The logical design is implementation
independent, meaning that it contains no reference to specific technologies, vendors, or
products. It addresses,
instead, how the proposed system will solve the problem at hand. In this stage, analysts
generate
a number of alternative solutions, each with corresponding strengths and weaknesses,
and costs and benefits, allowing for a general comparison of available options. At the end of
this phase, another feasibility analysis is performed.
Physical Design
During the physical design phase, specific technologies are selected to support the
alternatives
identified and evaluated in the logical design. The selected components are evaluated
based on a make-or-buy decision (develop the components in-house or purchase them
from a vendor). Final designs integrate various components and technologies. After yet
 another feasibility analysis, the entire solution is presented to the organizational
management for approval.
Implementation
In the implementation phase, any needed software is created. Components are ordered,
received, and tested. Afterward, users are trained and supporting documentation created.
Once all components are tested individually, they are installed and tested as a system. Again
a feasibility analysis is prepared, and the sponsors are then presented with the system for a
performance review and acceptance test.
Maintenance and Change
The maintenance and change phase is the longest and most expensive phase of the process.
This phase consists of the tasks necessary to support and modify the system for the
remainder of its useful life cycle. Even though formal development may conclude during this
phase, the life cycle of the project continues until it is determined that the process should
begin again from the investigation phase. At periodic points, the system is tested for
compliance, and the feasibility of continuance versus discontinuance is evaluated. Upgrades,
updates, and patches are managed. As the needs of the organization change, the systems
that support the organization must also change. It is imperative that those who manage the
systems, as well as those who support them, continually monitor the effectiveness of the
systems in relation to the organization’s environment. When a current system can no longer
support the evolving mission of the organization, the project is terminated and a new
project is implemented.

6. Brief about Critical Characteristics ofInformation.

Critical Characteristics of Information
The value of information comes from the characteristics it possesses. When a characteristic
of information changes, the value of that information either increases, or, more commonly,
decreases. Some characteristics affect information’s value to users more than others do. This
can depend on circumstances; for example, timeliness of information can be a critical factor,
because information loses much or all of its value when it is delivered too late. Though
information security professionals and end users share an understanding of the
characteristics of Corporation, Patricia Dunn, authorized contract investigators to use
pretexting to “smokeout” a corporate director suspected of leaking confidential information.
The resulting firestorm of negative publicity led to Ms. Dunn’s eventual departure from the
company.
Confidentiality Information has confidentiality when it is protected from disclosure or
exposure to unauthorized individuals or systems. Confidentiality ensures that only those
with the rights and privileges to access information are able to do so. When unauthorized
individuals or systems can view information, confidentiality is breached. To protect the
confidentiality of information, you can use a number of measures, including the following:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
Confidentiality, like most of the characteristics of information, is interdependent with other
characteristics and is most closely related to the characteristic known as privacy.
The value of confidentiality of information is especially high when it is personal information
about employees, customers, or patients. Individuals who transact with an organization
expect that their personal information will remain confidential, whether the organization is
a federal agency, such as the Internal Revenue Service, or a business. Problems arise when
companies disclose confidential information. Sometimes this disclosure is intentional, but
there are times when disclosure of confidential information happens by mistake—for
example, when confidential information is mistakenly e-mailed to someone outside the
organization rather than to someone inside the organization. Several cases of privacy
violation are outlined in Offline: Unintentional Disclosures.
Other examples of confidentiality breaches are an employee throwing away a document
containing critical information without shredding it, or a hacker who successfully breaks into
an internal database of a Web-based organization and steals sensitive information about the
clients, such as names, addresses, and credit card numbers.
As a consumer, you give up pieces of confidential information in exchange for convenience
or value almost daily. By using a “members only” card at a grocery store, you disclose some
of your spending habits. When you fill out an online survey, you exchange pieces of your
personal history for access to online privileges. The bits and pieces of your information that
you disclose are copied, sold, replicated, distributed, and eventually coalesced into profiles
and even complete dossiers of yourself and your life. A similar technique is used in a criminal
enterprise called salami theft. A deli worker knows he or she cannot steal an entire salami,
but a few slices here or there can be taken home without notice. Eventually the deli worker
has stolen a whole salami. In information security, salami theft occurs when an employee
steals a few pieces of information at a time, knowing that taking more would be noticed—
but eventually the employee gets something complete or useable.
Integrity Information has integrity when it is whole, complete, and uncorrupted. The
integrity of information is threatened when the information is exposed to corruption,
damage, destruction, or other disruption of its authentic state. Corruption can occur while
information is being stored or transmitted. Many computer viruses and worms are designed
with the explicit purpose of corrupting data. For this reason, a key method for detecting a
virus or worm is to look for changes in file integrity as shown by the size of the file. Another
key method of assuring information integrity is file hashing, in which a file is read by a
special algorithm that uses the value of the bits in the file to compute a single large number
called a hash value. The hash value for any combination of bits is unique. If a computer
system performs the same hashing algorithm on a file and obtains a different number than
the recorded hash value for that file, the file has been compromised and the integrity of the
information is lost. Information integrity is the cornerstone of information systems, because
information is of no value or use if users cannot verify its integrity.
File corruption is not necessarily the result of external forces, such as hackers. Noise in the
transmission media, for instance, can also cause data to lose its integrity. Transmitting data
 on a circuit with a low voltage level can alter and corru pt the data. Redundancy bits and
check bits can compensate for internal and external threats to the integrity of information.
During each transmission, algorithms, hash values, and the error-correcting codes ensure
the integrity of the information. Data whose integrity has been compromised is
retransmitted.
Utility The utility of information is the quality or state of having value for some purpose or
end. Information has value when it can serve a purpose. If information is available, but is not
in a format meaningful to the end user, it is not useful. For example, to a private citizen
U.S. Census data can quickly become overwhelming and difficult to interpret; however, for a
politician, U.S. Census data reveals information about the residents in a district, such as their
race, gender, and age. This information can help form a politician’s next campaign strategy.
Possession The possession of information is the quality or state of ownership or control.
Information is said to be in one’s possession if one obtains it, independent of format or
other characteristics. While a breach of confidentiality always results in a breach of
possession, a breach of possession does not always result in a breach of confidentiality. For
example, assume a company stores its critical customer data using an encrypted file system.
An employee who has quit decides to take a copy of the tape backups to sell the customer
records to the competition. The removal of the tapes from their secure environment is a
breach of possession. But, because the data is encrypted, neither the employee nor anyone
else can read it without the proper decryption methods; therefore, there is no breach of
confidentiality. Today, people caught selling company secrets face increasingly stiff fines
with the likelihood of jail time. Also, companies are growing more and more reluctant to hire
individuals who have demonstrated dishonesty in their past.

7.b Balancing Information security and access

Balancing Information Security and Access

Even with the best planning and implementation, it is impossible to obtain perfect information
security. Recall James Anderson’s statement from the beginning of this chapter, which emphasizes
the need to balance security and access. Information security cannot be absolute: it is a process, not
a goal. It is possible to make a system available to anyone, anywhere, anytime, through any means.
However, such unrestricted access poses a danger to the security of the information. On the other
hand, a completely secure information system would not allow anyone access. For instance, when
challenged to achieve a TCSEC C-2 level security certification for its Windows operating system,
Microsoft had to remove all networking components and operate the computer from only the
console in a secured room.

To achieve balance—that is, to operate an information system that satisfies the user and the security
professional—the security level must allow reasonable access, yet protect against threats. Figure 1-8
shows some of the competing voices that must be considered when balancing information security
and access.

Because of today’s security concerns and issues, an information system or data-processing

department can get too entrenched in the management and protection of systems. An imbalance
can occur when the needs of the end user are undermined by too heavy a focus on protecting and
administering the information systems. Both information security technologists and end users must
recognize that both groups share the same overall goals of the organization—to ensure the data is
available when, where, and how it is needed, with minimal delays or obstacles. In an ideal world, this
level of availability can be met even after concerns about loss, damage, interception, or destruction
have been addressed.

8. Explain about Security Professionals and community of interest.

Security Professionals and the Organization

It takes a wide range of professionals to support a diverse information security program. As noted
earlier in this chapter, information security is best initiated from the top down. Senior management
is the key component and the vital force for a successful implementation of an information security
program. But administrative support is also essential to developing and executing specific security
policies and procedures, and technical expertise is of course essential to implementing the details of
the information security program. The following sections describe the typical information security
responsibilities of various professional roles in an organization.

Senior Management

The senior technology officer is typically the chief information officer (CIO), although other titles
such as vice president of information, VP of information technology, and VP of systems may be used.
The CIO is primarily responsible for advising the chief executive officer, president, or company owner
on the strategic planning that affects the management of information in the organization. The CIO
translates the strategic plans of the organization as a whole into strategic information plans for the
information systems or data processing division of the organization. Once this is accomplished, CIOs
work with subordinate managers to develop tactical and operational plans for the division and to
enable planning and management of the systems that support the organization.

The chief information security officer (CISO) has primary responsibility for the assessment,
management, and implementation of information security in the organization. The CISO may also be
referred to as the manager for IT security, the security administrator, or a similar title. The CISO
usually reports directly to the CIO, although in larger organizations it is not uncommon for one or
more layers of management to exist between the two. However, the recommendations of the CISO
to the CIO must be given equal, if not greater, priority than other technology and information-
related proposals. The placement of the CISO and supporting security staff in organizational
hierarchies is the subject of current debate across the industry.

Information Security Project Team

The information security project team should consist of a number of individuals who are
experienced in one or multiple facets of the required technical and nontechnical areas. Many of the
same skills needed to manage and implement security are also needed to design it. Members of the
security project team fill the following roles:

Champion: A senior executive who promotes the project and ensures its support, both financially
and administratively, at the highest levels of the organization.

Team leader: A project manager, who may be a departmental line manager or staff unit manager,
who understands project management, personnel management, and information security technical
requirements.

Security policy developers: People who understand the organizational culture, existing policies, and
requirements for developing and implementing successful policies.
Risk assessment specialists: People who understand financial risk assessment techniques, the value
of organizational assets, and the security methods to be used.

Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information
security from both a technical and nontechnical standpoint.

Systems administrators: People with the primary responsibility for administering the systems that
house the information used by the organization.

End users: Those whom the new system will most directly affect. Ideally, a selection of users from
various departments, levels, and degrees of technical knowledge assist the team in focusing on the
application of realistic controls applied in ways that do not disrupt the essential business activities
they seek to safeguard.

Data Responsibilities

The three types of data ownership and their respective responsibilities are outlined below:

Data owners: Those responsible for the security and use of a particular set of information. They are
usually members of senior management and could be CIOs. The data owners usually determine the
level of data classification (discussed later), as well as the changes to that classification required by
organizational change. The data owners work with subordinate managers to oversee the day-to-day
administration of the data.

Data custodians: Working directly with data owners, data custodians are responsible for the storage,
maintenance, and protection of the information. Depending on the size of the organization, this may
be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems
administrator or other technology manager. The duties of a data custodian often include overseeing
data storage and backups, implementing the specific procedures and policies laid out in the security
policies and plans, and reporting to the data owner.

Data users: End users who work with the information to perform their assigned roles supporting the
mission of the organization. Everyone in the organization is responsible for the security of data, so
data users are included here as individuals with an information security role.

Communities of Interest

Each organization develops and maintains its own unique culture and values. Within each
organizational culture, there are communities of interest that develop and evolve. As defined here,
a community of interest is a group of individuals who are united by similar interests or values within
an organization and who share a common goal of helping the organization to meet its objectives.
While there can be many different communities of interest in an organization, this book identifies
the three that are most common and that have roles and responsibilities in information security. In
theory, each role must complement the other; in practice, this is often not the case.

Information Security Management and Professionals

The roles of information security professionals are aligned with the goals and mission of the
information security community of interest. These job functions and organizational roles focus on
protecting the organization’s information systems and stored information from attacks.

Information Technology Management and Professionals

The community of interest made up of IT managers and skilled professionals in systems design,
programming, networks, and other related disciplines has many of the same objectives as the
information security community. However, its members focus more on costs of system creation and
operation, ease of use for system users, and timeliness of system creation, as well as transaction
response time. The goals of the IT community and the information security community are not
always in complete alignment, and depending on the organizational structure, this may cause
conflict.

Organizational Management and Professionals

The organization’s general management team and the rest of the resources in the organization make
up the other major community of interest. This large group is almost always made up of subsets of
other interests as well, including executive management, production management, human
resources, accounting, and legal, to name just a few. The IT community often categorizes these
groups as users of information technology systems, while the information security community
categorizes them as security subjects. In fact, this community serves as the greatest reminder that all
IT systems and information security objectives exist to further the objectives of the broad
organizational community. The most efficient IT systems operated in the most secure f ashion ever
devised have no value if they are not useful to the organization as a whole.