CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

CHAPTER 12

INFORMATION SECURITY MAINTENANCE

At the end of the chapter, the learners should be able to:

1. Discuss the need for ongoing maintenance of the information security program
2. List the recommended security management models
3. Define a model for a full maintenance program
4. Identify the key factors involved in monitoring the external and internal environment
5. Describe how planning, risk assessment, vulnerability assessment, and remediation tie into
information security maintenance
6. Explain how to build readiness and review procedures into information security maintenance
7. Define digital forensics, and describe the management of the digital forensics function
8. Describe the process of acquiring, analyzing, and maintaining potential evidentiary material

INTRODUCTION

After successfully implementing and testing a new and improved information security profile, an
organization may feel more confident about the level of protection it provides for its information assets.
But it shouldn’t, really. In all likelihood, a good deal of time has passed since the organization began
implementing changes to the information security program. In that time, the dynamic aspects of the
organization’s environment will have changed. Almost all aspects of a company’s environment are
dynamic, meaning threats that were originally assessed in the early stages of the project’s security
systems development life cycle (SecSDLC) have probably changed and new priorities have emerged.
New types of attacks such as viruses, worms, and denial-of-service attacks have been developed, and
new variants of existing attacks have probably emerged as well. In addition, a host of other variables
outside and inside the organization have most likely changed.

Developing a comprehensive list of dynamic factors in an organization’s environment is beyond the

scope of this text. However, the following changes may affect an organization’s information security
environment:
● The acquisition of new assets and the divestiture of old assets
● The emergence of vulnerabilities associated with new or existing assets
● Shifting business priorities
● The formation of new partnerships
● The dissolution of old partnerships
● The departure of personnel who are trained, educated, and aware of policies,
procedures, and technologies
● The hiring of personnel

As this list shows, by the time a cycle of the SecSDLC is completed, the environment of an
organization has probably changed considerably. An information security team needs to be able to
assure management periodically that the information security program is accommodating these
changes. If the program is not adjusting adequately to change, it may be necessary to begin the cycle
again. If an organization deals successfully with change and has created procedures and systems that
can be adjusted to the environment, the existing security improvement program can continue to work
well. Deciding whether to continue with the current improvement program or to renew the
investigation, analysis, and design phases depends on how much change has occurred and how well
the organization and its program for information security maintenance is adapting to its evolving
environment.

Before learning about the maintenance model that the authors recommend, you need some
background on the management and operation of an information security program.

Page
Ms. |Olga
1 Llanera Course Facilitator Page | 1
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

SECURITY MANAGEMENT MAINTENANCE

Auditing. The review of a system’s use to determine if misuse or malfeasance has occurred.
Build. A snapshot of a particular version of software assembled or linked from its component
modules.
build list. A list of the versions of components that make up a build.
Configuration. A collection of components that make up a configuration item.
configuration and change management (CCM) An approach to implementing system change that
uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track
changes through completion, and maintain systems inventory and supporting documentation.
configuration item. A hardware or software item that will be modified and revised throughout its life
cycle.
major release A significant revision of a version from its previous state.
minor release (update or patch) A minor revision of a version from its previous state.
revision date The date associated with a particular version or build.
software library A collection of configuration items that is usually controlled and that developers use
to construct revisions and issue new configuration items.
version The recorded state of a particular revision of a software or hardware configuration item. The
version number is often noted in a specific format, such as “M.N.b.” In this notation, “M” is the major
release number and “N.b” can represent various minor releases or builds within the major release.

NIST Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers,
provides managerial guidance for the establishment and implementation of an information security
program. In particular, the handbook addresses the ongoing tasks expected of an information security
manager once the program is working and day-to-day operations are established.

For each of the 13 areas of information security management presented in SP 800-100, there are specific
monitoring activities—tasks that security managers should perform on an ongoing basis to monitor the
function of the security program and take corrective actions when issues arise. Not all issues are
negative, as in the opening scenario. Some are normal changes
in the business environment, while others are changes in the technology environment—for example,
the emergence of new technologies that could improve security or new security standards and
regulations to which the organization should subscribe.

The following sections describe monitoring actions for the 13 information security areas. These
sections were adapted from SP 800-100.

1. Information Security Governance An effective information security governance program requires

constant review. Agencies should monitor the status of their programs to ensure that:
● Ongoing information security activities are providing appropriate support to the agency’s
mission.
● Policies and procedures are current and aligned with evolving technologies, if appropriate.
● Controls are accomplishing their intended purpose.

Over time, policies and procedures may become inadequate because of changes in the agency’s
mission and operational requirements, threats, or the environment; deterioration in the degree of
compliance; or changes in technology, infrastructure, or business processes. Periodic assessments and
reports on activities can identify areas of noncompliance, remind users of their responsibilities, and
demonstrate management’s commitment to the security program. While an organization’s mission does
not frequently change, the agency may expand its mission to secure its programs and assets and require
modification to its information security requirements and practices.

2. Systems Development Life Cycle. The systems development life cycle (SDLC) is the overall
process of developing, implementing, and retiring information systems through a multistep
approach—initiation, analysis, design, implementation, and maintenance to disposal. Each phase

Page
Ms. |Olga
2 Llanera Course Facilitator Page | 2
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

of the SDLC includes a minimum set of information security activities required to effectively
incorporate security into a system.

3. Awareness and Training. Once the program has been implemented, processes must be put in place
to monitor compliance and effectiveness.

An automated tracking system should be designed to capture key information about program activity,
such as courses, dates, audience, costs, and sources. The tracking system should capture this data at an
agency level so it can be used to provide enterprise-wide analysis and reporting about awareness,
training, and education initiatives.

Tracking compliance involves assessing the status of the program as indicated by the database
information and mapping it to standards established by the agency. Reports can be generated and used
to identify gaps or problems. Corrective action and necessary follow-up can then be taken. This follow-
up may take the form of formal reminders to management; additional
awareness, training, or education offerings; and the establishment of a corrective plan with scheduled
completion dates. As the organization’s environment changes, the security policies must evolve, and
all awareness and training material should reflect these changes.

4. Capital Planning and Investment Control Increased competition for limited resources requires that
departments allocate available funding toward their highest-priority information security
investments to afford the organization the appropriate degree of security for its needs. This goal can
be achieved through a formal enterprise capital planning and investment control (CPIC) process
designed to facilitate the expenditure of agency funds.

5. Interconnecting Systems A system interconnection is defined as the direct connection of two or

more information systems for sharing data and other information resources. Organizations choose
to interconnect their information systems for a variety of reasons based on their needs. For example,
they may interconnect information systems to exchange data, collaborate on joint projects, or
securely store data and backup files.

Interconnecting information systems can expose the participating organizations to risk. For instance,
if the interconnection is not properly designed, security failures could compromise the connected
systems and their data. Similarly, if one of the connected systems is compromised, the
interconnection could be used as a conduit to compromise the other system and its data.

6. Performance Measures A program of performance measures provides numerous financial benefits

to organizations. Organizations can develop information security metrics that measure the
effectiveness of their security program, and can provide data to be analyzed and used by program
managers and system owners to isolate problems, justify investment requests, and target funds to
the areas in need of improvement.

By using metrics to target security investments, agencies can get the best value from available
resources. The typical information performance management program consists of four
interdependent components: senior management support, security policies and procedures,
quantifiable performance metrics, and analyses.

7. Security Planning. Planning is one of the most crucial ongoing responsibilities in security
management. Strategic, tactical, and operating plans must be developed that align with and support
organizational and IT plans, goals, and objectives.

8. Information Technology Contingency Planning Contingency planning consists of a process for

recovery and documentation of procedures for conducting recovery. The ongoing responsibilities of
security management involve the maintenance of the contingency plan. The contingency plan must
always be in a ready state for use immediately upon notification. Periodic reviews of the plan must
be conducted to ensure currency of key personnel and vendor information, system components and

Page
Ms. |Olga
3 Llanera Course Facilitator Page | 3
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

dependencies, the recovery strategy, vital records, and operating requirements. While some changes
may be obvious, such as personnel turnover or vendor changes, others require analysis.

The business impact analysis should be reviewed periodically and updated with new information
to identify new contingency requirements and priorities. Changes to the plan are noted in a record
of changes, dated, and signed or initialed by the person making the change. The revised plan or plan
sections are circulated to those with plan responsibilities. Because of the impact that plan changes
may have on interdependent business processes or information systems, the changes must be clearly
communicated and properly annotated at the beginning of the document.

9. Risk Management Risk management is an ongoing effort as well. Risk identification, analysis, and
management are a cyclic and fundamental part of continuous improvement in information security.
The principal goal of risk management is to protect the organization and its ability to perform its
mission, not just protect its information assets. Risk management is an essential management
function of the organization that is tightly woven into the SDLC. Because risk cannot be eliminated
entirely, the risk management process allows information security program managers to balance
operating and economic costs of protective measures and achieve gains in mission capability. By
employing practices and procedures designed to foster informed decision making, agencies help
protect their information systems and the data that support their own mission.

10. Certification, Accreditation, and Security Assessments. Certification and accreditation for
federal systems is radically changing for systems not designated as national security information
systems. Some organizations need to review their own systems for certification and accreditation to
be in compliance with banking, healthcare, international, or other regulations. Others may want the
recognition offered by certifications like the ISO 27000 series. The security certification and
accreditation process is designed to ensure that an information system operates with the appropriate
management review, that there is ongoing monitoring of security controls, and that reaccreditation
occurs periodically.

11. Security Services and Products Acquisition Information security services and products are
essential elements of an organization’s information security program. Such products are widely
available in the marketplace and are frequently used by federal agencies. Security products and
services should be selected and used to support the organization’s overall program to manage the
design, development, and maintenance of its information security infrastructure and to protect its
mission-critical information. Agencies should apply risk management principles to help identify
and mitigate risks associated with product acquisition.

When acquiring information security products, organizations are encouraged to conduct a

cost-benefit analysis—one that also includes the costs associated with risk mitigation. This analysis
should include a life cycle cost estimate for current products and one for each identified alternative
while highlighting the benefits associated with each alternative. NIST SP 800-36, Guide to
Selecting Information Technology Security Products, defines broad security product categories and
then specifies product types, product characteristics, and environment considerations within those
categories. The guide also provides a list of pertinent questions that agencies should ask when
selecting products.

The process of selecting information security products and services involves numerous
people throughout an organization. Each person or group involved in the process should understand
the importance of security in the organization’s information infrastructure and the security impacts
of their decisions. Personnel might be included from across the organization to provide relevant
perspective on information security needs that must be integrated into the solution.

12. Incident Response Attacks on information systems and networks have become more numerous,
sophisticated, and severe in recent years. While preventing such attacks would be the ideal course
of action, not all security incidents can be prevented. Every organization that depends on
information systems and networks should identify and assess the risks to its systems and reduce
those risks to an acceptable level. An important component of this risk management process is the

Page
Ms. |Olga
4 Llanera Course Facilitator Page | 4
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

trending analysis of past computer security incidents and the identification of effective ways to deal
with them. A well-defined incident response capability helps the organization detect incidents
rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations rapidly.

13. Configuration and Change Management The purpose of configuration and change management
is to manage the effects of changes or differences in configurations in an information system or
network. In some organizations, configuration management is the identification, inventory, and
documentation of the current information systems—hardware, software, and networking
configurations. Change management is sometimes described as a separate function that only
addresses modifications to this base configuration. Here, the two concepts are combined to address
the current and proposed states of the information systems and the management of any needed
modifications.

The Security Maintenance Model

While management models such as the ISO 27000 series and NIST SP 800-100, Information Security
Handbook: A Guide for Managers, deals with methods to manage and operate systems, a maintenance
model is designed to focus the organization’s effort on maintaining systems.

The recommended maintenance model is based on five subject areas or domains:

● External monitoring
● Internal monitoring
● Planning and risk assessment
● Vulnerability assessment and remediation
● Readiness and review

external monitoring domain The component of the maintenance model that focuses on evaluating
external threats to the organization’s information assets.
difference analysis A procedure that compares the current state of a network segment against a known
previous state of the same network segment (the baseline of systems and services).
internal monitoring domain The component of the maintenance model that focuses on identifying,
assessing, and managing the configuration and status of information assets in an organization.

The primary goal of the internal monitoring domain is an informed awareness of the state of the
organization’s networks, information systems, and information security defenses. This awareness must
be communicated and documented, especially for components that are exposed to the external network.
Internal monitoring is accomplished by:
● Building and maintaining an inventory of network devices and channels, IT infrastructure
and applications, and elements of information security infrastructure.
● Leading the IT governance process within the organization to integrate the inevitable
changes found in all network, IT, and information security programs.
● Monitoring IT activity in real time using IDPSs to detect and respond to actions or events
that introduce risk to the organization’s information assets.
● Monitoring the internal state of the organization’s networks and systems. To maintain
awareness of new and emerging threats, this recursive review is required of network and
system devices that are online at any given moment and of any changes to services offered on
the network. This review can be accomplished through automated difference-detection
methods that identify variances introduced to the network or system hardware and software.

planning and risk assessment domain The component of the maintenance model that focuses on
identifying and planning ongoing information security activities and identifying and managing risks
introduced through IT information security projects.

The primary objective of the planning and risk assessment domain is to keep lookout over the
entire information security program, in part by identifying and planning ongoing information security
activities that further reduce risk. In fact, the bulk of the security management maintenance model
could fit in this domain. Also, the risk assessment group identifies and documents risks introduced both

Page
Ms. |Olga
5 Llanera Course Facilitator Page | 5
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

by IT projects and information security projects. It also identifies and documents risks that may be
latent in the present environment. The primary objectives of this domain are:
● Establishing a formal review process for the information security program that complements
and supports both IT planning and strategic planning
●Instituting formal project identification, selection, planning, and management processes for
follow-up activities that augment the current information security program
● Coordinating with IT project teams to introduce risk assessment and review for all IT projects
so that risks introduced by the launches of new IT projects are identified, documented, and
factored into decisions about the projects
● Integrating a mindset of risk assessment throughout the organization that encourages other
departments to perform risk assessment activities when any technology system is implemented
or modified

Internet vulnerability assessment An assessment approach designed to find and document

vulnerabilities that may be present in the organization’s public network.
intranet vulnerability assessment An assessment approach designed to find and document selected
vulnerabilities that are likely to be present on the organization’s internal network.
modem vulnerability assessment An assessment approach designed to find and document any
vulnerability on dial-up modems connected to the organization’s networks.
penetration testing A set of security tests and evaluations that simulate attacks by a hacker or other
malicious external source.
platform security validation (PSV) An assessment approach designed to find and document
vulnerabilities that may be present because misconfigured systems are used within the organization.
remediation The processes of removing or repairing flaws in information assets that cause a
vulnerability or removing the risk associated with the vulnerability.
vulnerability assessment (VA) The process of identifying and documenting specific and provable flaws
in the organization’s information asset environment.
vulnerability assessment and remediation domain The component of the maintenance model focused
on identifying specific, documented vulnerabilities and remediating them in a timely fashion.
war dialing The use of scripted dialing attacks against a pool of phone numbers in an effort to identify
modem connections.
wireless vulnerability assessment An assessment approach designed to find and document
vulnerabilities that may be present in the organization’s wireless local area networks.

The primary goal of the vulnerability assessment and remediation domain is to identify specific,
documented vulnerabilities and remediate them in a timely fashion. This is accomplished by:
● Using documented vulnerability assessment procedures to safely collect intelligence about
internal and public networks; platforms, including servers, desktops, and process control;
dial-in modems; and wireless network systems
● Documenting background information and providing tested remediation procedures for
reported vulnerabilities
● Tracking vulnerabilities from the time they are identified until they are remediated or the
risk of loss has been accepted by an authorized member of management
● Communicating vulnerability information, including an estimate of the risk and detailed
remediation plans to the owners of vulnerable systems
● Reporting on the status of vulnerabilities that have been identified
● Ensuring that the proper level of management is involved in deciding to accept the risk of
loss associated with unrepaired vulnerabilities

war game A type of rehearsal that seeks to realistically simulate the circumstances needed to
thoroughly test a plan.

The primary goal of the readiness and review domain is to keep the information security program
functioning as designed and improve it continuously over time. This goal can be accomplished by doing
the following:

Page
Ms. |Olga
6 Llanera Course Facilitator Page | 6
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

● Policy review: Policy needs to be reviewed and refreshed from time to time to ensure its
soundness—in other words, it must provide a current foundation for the information security
program.
● Program review: Major planning components should be reviewed on a periodic basis to
ensure that they are current, accurate, and appropriate.
● Rehearsals: When possible, major plan elements should be rehearsed.

DIGITAL FORENSICS

digital forensics The application of forensics techniques and methodologies to the preservation,
identification, extraction, documentation, and interpretation of digital media for evidentiary and/or
root-cause analysis.
digital malfeasance A crime against or using digital media, computer technology, or related
components.
evidentiary material (EM) Any item or information that applies to an organization’s legal or policy-
based case; also known as an item of potential evidentiary value.
forensics The coherent application of methodical investigatory techniques to present evidence of
crimes in a court or similar setting.

Whether due to a character flaw, a need for vengeance, or simple curiosity, an employee or
outsider may attack a physical asset or information asset. When the asset is in the purview of the CISO,
he is expected to understand how policies and laws require the matter to be managed. To protect the
organization and possibly assist law enforcement in an investigation, the CISO must document what
happened and how. This process is called digital forensics.
Digital forensics is based on the field of traditional forensics. Made popular by scientific
detective shows that focus on crime scene investigations, forensics involves the use of science to
investigate events. Not all events involve crimes; some involve natural events, accidents, or system
malfunctions. Forensics allows investigators to determine what happened by examining the results of
an event. It also allows them to determine how the event happened by examining activities, individual
actions, physical evidence, and testimony related to the event. However, forensics might not figure out
the why of the event; that’s the focus of psychological, sociological, and criminal justice studies. Here,
the focus is on the application of forensics
techniques in the digital arena.
Digital forensics involves the preservation, identification, extraction, documentation, and
interpretation of digital media, including computer media, for evidentiary and/or root cause analysis.
Like traditional forensics, it follows clear, well-defined methodologies, but it still tends to be as much
an art as a science. In other words, the natural curiosity and personal skill of the investigator play a key
role in discovering potential evidentiary material (EM). An item does not become evidence until it is
formally admitted by a judge or other ruling official.
Digital forensics investigators use a variety of tools to support their work, as you will learn later
in this chapter. However, the tools and methods used by attackers can be equally sophisticated.
Digital forensics can be used for two key purposes:
● To investigate allegations of digital malfeasance. Such an investigation requires digital
forensics to gather, analyze, and report the findings. This is the primary mission of law
enforcement in investigating crimes that involve computer technologies or online information.
● To perform root-cause analysis. If an incident occurs and the organization suspects an attack
was successful, digital forensics can be used to examine the path and methodology used to
gain unauthorized access, and to determine how pervasive and successful the attack was. This
type of analysis is used primarily by incident response teams to examine their equipment after
an incident.

Some investigations are undertaken by an organization’s own personnel, while others require
the immediate involvement of law enforcement. In general, whenever investigators discover evidence
of a crime, they should immediately notify management and recommend contacting law enforcement.
Failure to do so could result in unfavorable action against the investigator or organization.

Page
Ms. |Olga
7 Llanera Course Facilitator Page | 7
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

The organization must choose one of two approaches when employing digital forensics:

1. Protect and forget. This approach, also known as patch and proceed, focuses on the defense
of data and the systems that house, use, and transmit it. An investigation that takes this
approach focuses on the detection and analysis of events to determine how they happened
and to prevent reoccurrence. Once the current event is over, who caused it or why is almost
immaterial.
2. Apprehend and prosecute. This approach, also known as pursue and prosecute, focuses on
the identification and apprehension of responsible parties, with additional attention to the
collection and preservation of potential EM that might support administrative or criminal
prosecution. This approach requires much more attention to detail to prevent contamination
of evidence that might hinder prosecution.

An organization might find it impossible to retain enough data to successfully handle even
administrative penalties, but it should certainly adopt the latter approach if it wants to pursue formal
administrative penalties, especially if the employee is likely to challenge them.

Page
Ms. |Olga
8 Llanera Course Facilitator Page | 8