Addis Ababa University

Faculty of Science
Department of Computer Science

COSC 6301 – Computer Security

Chapter 1 - Overview
By
Girum Ketema (PhD)
[email protected]
[email protected]
Outline
• Course Outline
• Basics
• Computer Security Elements
• Roles and Responsibilities
Outline
• Course Outline
• Basics
• Computer Security Elements
• Roles and Responsibilities
Outline
• Course Outline
• Basics
• Computer Security Elements
• Roles and Responsibilities
 Definition – Computer Security
• Measures and controls that ensure confidentiality, integrity, and availability of information
system assets (includes hardware, software, firmware, information being processed, stored and
communicated). (NIST 2013)

Hardware
Software
Firmware
CIA Triad
Data
Telecommunications
Objectives Information System Resources
NIST 2013 – The National Institute of Standards and Technology (NIST) Internal Report 7298 (May 2013
 Confidentiality
• Preserving authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information.

• A loss of confidentiality is the unauthorized disclosure of information.

Data Confidentiality Privacy

Assures that private or Assures that individuals control or

confidential information is not influence information related to them:
made available or disclosed to • Collection
unauthorized individuals. • Storage
• Disclosure – By Whom, to Whom
Integrity
• Guarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity.
• A loss of integrity is the unauthorized modification or destruction of information.

Data Integrity System Integrity

Assures that information and Assures that a system performs its intended
programs are changed only in a function in an unimpaired manner, free from
specified and authorized manner. deliberate or inadvertent unauthorized
manipulation of the system.
 Availability
• Ensuring timely and reliable access to and use of information.
• A loss of availability is the disruption of access to or use of information
or an information system.
Security Impact Levels
Low
Moderate
High
Security Impact Levels
Low • Limited adverse effect

Moderate • Degradation in mission capability but can perform primary functions

• Minor damage to organizational assets
High
• Minor financial loss
• Minor harm to individuals
Security Impact Levels
Low
Moderate • Serious adverse effect

High • Significant degradation in mission capability but can perform

primary functions with reduced effectiveness
• Significant damage to organizational assets
• Significant financial loss
• Significant harm to individuals
Security Impact Levels
Low
Moderate
High • Sever or catastrophic adverse effect
• Severe degradation or loss in mission capability
• Major damage on organizational assets
• Major financial loss
• Major harm to individuals (may include loss of life)
Examples – Loss of Confidentiality
• Grade information should only be available to students, their parents,
and employees that require the information to do their job.

• Low Impact → Disclosure of directory list of students and staff

• Moderate → Disclosure of enrolment information
• High → Disclosure of student grade information
Example – Loss of Integrity
• Low Impact → Anonymous online poll
• Moderate → Falsified information on a website may damage the
reputation of the website
• High → Inaccurate allergy information in a hospital database may
result in death or serious injury
Example – Loss of Availability
• Critical systems have more availability requirements
• Low Impact → Online telephone directory
• Moderate → Public website of an organization
• High → Authentication service for other systems
Definition …

Authenticity: The property of being genuine and being able to be verified and trusted

Accountability: The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity.

Nonrepudiation Deterrence Fault isolation Intrusion detection and prevention Legal action
Outline
• Course Outline
• Basics
• Computer Security Elements
• Roles and Responsibilities
Computer Security Elements (NIST Handbook)

Computer security Computer security

Computer security is an
should support the Computer security responsibilities and
integral element of
mission of the should be cost-effective. accountability should be
sound management.
organization. made explicit.

System owners have

Computer security
computer security Computer security Computer security is
requires a
responsibilities outside should be periodically constrained by societal
comprehensive and
their own reassessed. factors
integrated approach.
organizations.
 Computer Security Elements (NIST Handbook)
Security rules and procedures should not negatively impact the
mission of the organization

Computer security
should support the Security is a means to and end and ont an end in itself
mission of the
organization.
Security shall explicitly be stated in terms of the organization’s
mission

In inter-organizational systems, each organization benefits from securing their

systems.
 Computer Security Elements (NIST Handbook)
Management personnel are ultimately responsible
for determining the level of acceptable risk for a
specific system and the organization as a whole,
taking into account the cost of security controls.

Security breaches can’t be avoided completely. The

Computer security is
management shall find a balance between
an integral element of
protecting the information and utilizing available
sound management
resources

When an organization's information and systems are

linked with external systems, management’s
responsibilities extend beyond organizational
boundaries.
Computer Security Elements (NIST Handbook)
The costs and benefits of security should be carefully examined
in both monetary and nonmonetary terms to ensure that the
cost of controls does not exceed expected benefits.

By investing in security measures, an organization can reduce

the frequency and severity of computer security-related losses.
Computer
security should
be cost-effective. Security benefits do have both direct and indirect costs.

Solutions to security problems should not be chosen if they cost

more, directly or indirectly, than simply tolerating the problem.
 Computer Security Elements (NIST Handbook)
The responsibilities and accountability of owners, providers, and users of
computer systems and other parties concerned with the security of computer
systems should be explicit.

Computer security
If the responsibilities are not made explicit, management may find it difficult
responsibilities and to hold personnel accountable for future outcomes.
accountability should
be made explicit
Documenting information security responsibilities is not dependent on the
size of the organization.

All organizations, irrespective of size, must have security policy

 Computer Security Elements (NIST Handbook)

If a system has external users, its owners have a responsibility to

share appropriate knowledge about the existence and general
extent of security measures so that other users can be confident
System owners have that the system is adequately secure.
computer security
responsibilities outside
their own organizations.

Managers should act in a timely, coordinated manner to prevent

and to respond to breaches of security" to help prevent damage
 Computer Security Elements (NIST Handbook)

A comprehensive approach that considers a variety of areas both within

and outside of the computer security field shall be in place.

Computer Security
Requires a
Comprehensive and Interdependencies of Security Controls: security controls often depend
Integrated Approach. upon the proper functioning of other controls.

Other Interdependencies: The effectiveness of security controls also

depends on such factors as system management, legal issues, quality
assurance, and internal and management controls.
 Computer Security Elements (NIST Handbook)

Computer Security is not a static process. It requires continuous

monitoring and management

Computer security
should be periodically Organizations must ensure that new vulnerabilities and evolving
reassessed. threats are quickly identified and responded to accordingly

Understanding of organizational risk tolerance to assist officials in

setting priorities and managing risk throughout the organization in a
consistent manner is required.
 Computer Security Elements (NIST Handbook)
The ability of security to support the mission of the organization(s) may
be limited by various factors, such as social issues. For example,
security and workplace privacy can conflict

Computer security is
constrained by societal
and Cultural factors Organizations shall make information security functions transparent,
easy to use, and understandable.

Organizations shall find a balance between information security

requirements and usability
Outline
• Course Outline
• Basics
• Computer Security Elements
• Roles and Responsibilities
 Roles and Responsibilities

SECURITY JOB INVOLVES CLEAR DESIGNATION OF ROLES IN SMALL ORGANIZATIONS, AN

ACTIVITIES THAT SPAN ACROSS THE AND RESPONSIBILITIES IS CRUCIAL EMPLOYEE MAY TAKE MORE THAN
ENTERPRISE ONE RESPONSIBILITY
Risk Executive Function (Senior Management)
Defining a holistic
Developing an
approach to addressing
organizational risk
risk across the entire
management strategy;
organization;

Supporting information-
• Overseeing risk
sharing amongst
management related
authorizing officials and
activities across the
other senior leaders in
organization.
the Organization
Chief Executive Officer (CEO)
Ensuring the integration of information security management processes with strategic and
Ensuring operational planning processes;

Making sure that the information and systems used to support organizational operations have
Making proper information security safeguards;

Confirming that trained personnel are complying with related information security legislation,
Confirming policies, directives, instructions, standards, and guidelines.
Chief Information Officer (CIO)
Allocating resources dedicated to the protection of the systems
Allocating supporting the organization’s mission and business functions;

Ensuring that systems are protected by approved security plans

Ensuring and are authorized to operate;

Making sure that there is an organization-wide information

Making security program that is being effectively implemented.
Information Owner

Establishing the rules for the appropriate use and protection of

Establishing the subject information;

Providing input to system owners regarding the security

Providing requirements and security controls needed to adequately
protect the subject information
Chief Information Security Officer
Managing
Managing and implementing an organization-wide information security
and program;
implementing

Assuming the role of authorizing official designated representative or

Assuming security control assessor when needed.
Authorizing Official (AO)

Approving security plans, memorandums of agreement or understanding,

Approving plans of action and milestones, as well as determining whether significant
changes in the system or environments of operation require reauthorization;

Ensuring that authorizing official designated representatives carry out all

Ensuring activities and functions associated with security authorization.
Authorizing Official Designated
Representative

Carrying out the duties of the Authorizing Official as assigned;

Making decisions with regard to planning and resourcing of the security authorization
process, approval of the security plan, approving and monitoring the implementation
of plans of action and milestones, and the assessment and/or determination of risk;

Preparing the final authorization package, obtaining the authorizing official’s signature
on the authorization decision document, and transmitting the authorization package
to appropriate organizational officials.
Senior Agency Official for Privacy

Overseeing, coordinating, and facilitating the agency’s privacy compliance efforts;

Reviewing the agency’s information privacy procedures to ensure that they are
comprehensive and up-to-date;

Ensure the agency’s employees and contractors receive appropriate training and
education programs regarding the information privacy laws, regulations, policies,
and procedures governing the agency’s handling of personal information.
Common Control Provider

Documenting the organization-identified common controls in a security

Documenting plan (or equivalent document prescribed by the organization);

Ensuring that required assessments of common controls are carried

Ensuring out by qualified assessors with an appropriate level of independence
defined by the organization.
System Owner

Addressing the operational interests of the user community (i.e., users who require
Addressing access to the system to satisfy mission, business, or operational requirements);

Ensuring Ensuring compliance with information security requirements; and

Developing and Developing and maintaining the system security plan and ensuring that the system is
maintaining deployed and operated in accordance with the agreed-upon security controls.
System Security Officer (SSO)

ASSISTING IN THE DEVELOPMENT OF THE

OVERSEEING THE DAY-TO-DAY SECURITY SECURITY POLICIES AND PROCEDURES
OPERATIONS OF A SYSTEM AND ENSURING COMPLIANCE WITH
THOSE POLICIES AND PROCEDURES.
Information Security Architect

Serving as the liaison between the enterprise architect and the

Serving information security engineer

Coordinating with system owners, common control providers,

Coordinating and system security officers on the allocation of security controls
as system-specific, hybrid, or common controls.
System Security Engineer (SSE)
Designing
Designing and developing organizational systems or upgrading
and legacy systems
developing

Coordinating security-related activities with information security

Coordinating architects, senior agency information security officers, system
owners, common control providers, and system security officers.
Security Control Assessor
Providing an assessment to identify weaknesses or deficiencies in the system and
Providing its environment of operation

Recommending Recommending corrective actions to address identified vulnerabilities

Preparing a security assessment report containing the results and findings from
Preparing the assessment.
System Administrator

1 2 3 4
Installing, Establishing and Overseeing backup Implementing
configuring, and managing user and recovery tasks technical security
updating hardware accounts controls.
and software
User

Adhering to policies that govern acceptable use of organizational

Adhering systems

Using the organization-provided IT resources for defined

Using purposes only

Reporting Reporting anomalies or suspicious system behavior

Supporting Roles - Auditor

Check whether the system is meeting stated security requirements

and organization policies

Check whether security controls are appropriate.

Informal audits can be performed by those operating the system

under review or by impartial third-party auditors.
Support - Physical Security Staff
The physical security office is responsible for developing and enforcing
appropriate physical security controls, often in consultation with information
security management, program and functional managers, and others.

Physical security addresses central system installations, backup facilities, and

office environments.

In the government, this office is often responsible for processing personnel

background checks and security clearances.
Disaster Recovery/Contingency Planning Staff

Some organizations have a separate disaster

recovery/contingency planning staff.

The staff is typically responsible for contingency planning

for the entire organization and works with other teams to
obtain additional contingency planning support, as needed
Assignment
Instruction

• Write A Short Essay on the Ethiopian Security Roles and Responsibilities in your
organizations.
• Comment on missing gaps by comparing to the NIST recommendation

Pages

• Max 5 pages. Min 2 pages.

Due Date

• Next Wednesday (December 01, 2021).