0% found this document useful (0 votes)

39 views94 pages

Security INFO CISSP R-Whitmanch03-04

Chapter 3 of 'Principles of Information Security' focuses on planning for security, emphasizing the role of management in developing and enforcing information security policies and the importance of an information security blueprint. It outlines the need for strategic and contingency planning, the governance of information security, and the establishment of various types of security policies, including Enterprise Information Security Policies and Issue-Specific Security Policies. The chapter also discusses the significance of education, training, and awareness programs in institutionalizing security practices within an organization.

Uploaded by

lindsay.yareth

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

39 views94 pages

Security INFO CISSP R-Whitmanch03-04

Uploaded by

lindsay.yareth

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 94

Principles of Information Security

Seventh Edition

Chapter 3
Planning for
Security

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for
classroom use.
Learning Objectives (1 of 2)
• Upon completion of this material, you should be able
to:
– Describe management’s role in the development,
maintenance, and enforcement of information security
policy, standards, practices, procedures, and
guidelines
– Explain what an information security blueprint is,
identify its major components, and explain how it
supports the information security program

– Discuss how an organization institutionalizes its

policies, standards, and practices using education,
training, and awareness programs
– Describe what contingency planning is and how it
relates to incident response planning, disaster
recovery planning, and business continuity plans

• Information security program begins with policies,

standards, and practices, which are the foundation
for information security architecture and blueprint.
• Coordinated planning is required to create and
maintain these elements.
• Strategic planning for the management of allocation
of resources.
• Contingency planning for the preparation of
uncertain business environment.

InfoSec management oversees a specialized program,

and certain aspects of its managerial responsibility are
unique. These unique functions are known as “the six
Ps”:

1. Planning
2. Policy
3. Programs
4. Protection
5. People
6. Project management

Strategic planning and corporate responsibility is best

accomplished using an approach industry refers to as
governance, risk management, and compliance
(GRC).

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Governance
– Governance:
▪ Set of responsibilities and practices exercised by the board and executive
management
▪ Goal to provide strategic direction, establishment of objectives, and measurement of
progress toward objectives
▪ Also, verifies/validates that risk management practices are appropriate and assets are
used properly.
▪ Corporate governance: Just like governments, corporations and other
organizations have guiding documents—corporate charters or partnership
agreements—as well as appointed or elected leaders or officers, and planning
and operating procedures. These elements in combination provide corporate
governance.
▪ Information security governance: Each operating unit within an organization
also has controlling customs, processes, committees, and practices. The
information security group’s leadership monitors and manages all organizational
structures and processes that safeguard information. Information security
governance then applies these principles and management structures to the
information security function.

• Information security governance outcomes

– Five goals:
▪ Strategic alignment
▪ Risk management
▪ Resource management
▪ Performance measurement
▪ Value delivery

Source: This information is derived from the Corporate Governance Task Force Report, “Information
Security Governance: A Call to Action,” April 2004, National Cyber Security Task Force.

• Management from communities of interest must

make policies the basis for all information security
planning, design, and deployment.
• Policies direct how issues should be addressed and
technologies used.
• Policies should never contradict law, must be able to
stand up in court, and must be properly
administered.
• Security policies are the least expensive controls to
execute but most difficult to implement properly.

• Standards: more detailed statements of what must

be done to comply with policy.
⁃ De facto standard: A standard that has been widely adopted or accepted by
a public group rather than a formal standards organization.
⁃ De jure standard: A standard that has been formally evaluated, approved,
and ratified by a formal standards organization.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
2- Information Security Policy, Standards,
and Practices
• Practices: Examples of actions that illustrate
compliance with policies.
• Procedure: Step-by-step instructions designed to
assist employees in following policies, standards,
and guidelines.
• Guidelines: Nonmandatory recommendations the
employee may use as a reference in complying with
a policy.
• For a policy to be effective, it must be properly
disseminated, read, understood, and agreed to by all
members of the organization, and uniformly enforced.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 4-2 Policies, standards,
guidelines, and procedures

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Management must define three types of security
policy, according to SP 800-14 of the National
Institute of Standards and Technology (NIST):
• Enterprise Information Security Policy (EISP)
• Issue-specific Security Policies (ISSPs)
• Systems-specific Policies (SysSPs)

Component Description
Answers the question 'What is this policy for?" Provides a framework that
helps the reader understand the intent of the document. Can include text
such as the following: This document will:
• Identify the elements of a good security policy
• Explain the need for information security
• Specify the various categories of information security
• Identify the information security responsibilities and roles
Statement of • Identify appropriate levels of security through standards and
Purpose guidelines
This document establishes an overarching security policy and direction
for our company. Individual departments are expected to establish
standards, guidelines, and operating procedures that adhere to and
reference this policy while addressing their specific and individual
needs."

Component Description
Defines information security. For example:
"Protecting the confidentiality, integrity, and availability of
Information Security information while in processing, transmission, and storage,
Elements through the use of policy, education and training, and
technology ..."
This section can also lay out security definitions or philosophies
to clarify the policy.
Provides information on the importance of information
Need for Information security in the organization and the legal and ethical
Security obligation to protect critical information about customers,
employees, and markets.

Component Description

Defines the organizational structure designed to support

Information information security within the organization. Identifies
Security categories of people with responsibility for information
Responsibilities security (IT department, management, users) and those
and Roles responsibilities, including maintenance of this document.

Lists other standards that influence this policy document and are
Reference influenced by it, perhaps including relevant federal laws, state
Standards laws, and other policies.
to Other Information
and Guidelines

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Issue-Specific Security Policy (ISSP)
(2 of 3)
An ISSP may cover the following topics, among others:
• E-mail
• Use of the Internet and World Wide Web
• Specific minimum configurations of computers to defend against worms and
viruses
• Prohibitions against hacking or testing organization security controls
• Home use of company-owned computer equipment
• Use of personal equipment on company networks (BYOD: bring your own
device)
• Use of telecommunications technologies, such as fax and phone
• Use of photocopy equipment

• Three common approaches when creating and managing ISSPs:

– Create a number of independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Issue-Specific Security Policy (ISSP)
(3 of 3)
• Components of the policy:
– Statement of policy
– Authorized access and usage of equipment
– Prohibited use of equipment
– Systems management
– Violations of policy
– Policy review and modification
– Limitations of liability

• Statement of policy
― Scope and applicability
― Definition of technology addressed
― Responsibilities
• Authorized access and usage of equipment
― User access
― Fair and responsible use
― Protection of privacy

• Prohibited use of equipment

― Disruptive use or misuse
― Criminal use
― Offensive or harassing materials
― Copyrighted, licensed, or other intellectual property
― Other restrictions
• Systems management
― Management of stored materials
― Employee monitoring
― Virus protection

― Physical security
― Encryption
• Violations of policy
― Procedures for reporting violations
― Penalties for violations
• Policy review and modification
― Scheduled review of policy procedures for
modification
― Legal disclaimers

• Limitations of liability
― Statements of liability
― Other disclaimers as needed

• SysSPs often function as standards or procedures

used when configuring or maintaining systems.
• SysSPs fall into two groups:
– Managerial guidance
– Technical specifications
• Access control lists (ACLs) can restrict access for a
particular user, computer, time, duration—even a
particular file.

1- Managerial guidance SysSPs

is created by management to guide the implementation and configuration of technology
and to address the behaviour of employees in ways that support information security.
For example, while the method for configuring a firewall belongs to the technical specifications
of SysSP, the firewall’s configuration must follow guidelines established by management. An
organization might not want its employees to access the Internet via the organization’s
network, for instance; in that case, the firewall should be configured accordingly.

2- Technical specifications SysSPs

to create a policy to implement the managerial policy. Each type of equipment requires
its own set of policies, which are used to translate management’s intent for technical
control into an enforceable technical approach.
For example, an ISSP may require that user passwords be changed quarterly; a systems
administrator can implement technical control within a specific application to enforce this
policy. There are two general methods of implementing such technical controls: access
control lists and configuration rules.

• Configuration rule policies govern how a security

system reacts to received data.
• Many organizations create a single document that
combines the managerial guidance SysSP and the
technical specifications SysSP.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Defensible Policy
For policies to be effective and legally defensible, the following must
be done properly:
1. Development—Policies must be written using industry-accepted
practices and formally approved by management.
2. Dissemination—Policies must be distributed using all appropriate
methods.
3. Review—Policies must be readable and read by all employees.
4. Comprehension—Policies must be understood by all employees.
5. Compliance—Policies must be formally agreed to by act or
affirmation.
6. Enforcement—Policies must be uniformly applied to all
employees.

- Like any major project, a policy development or

redevelopment project should be well-planned, properly
funded, and aggressively managed to ensure that it is
completed on time and within budget.

- One way to accomplish this goal is to use a systems

development life cycle (SDLC).
⁃ Investigation Phase
⁃ Analysis Phase
⁃ Design Phase
⁃ Implementation Phase
⁃ Maintenance Phase
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Policy Management

• Policies must be managed as they constantly

change.
• To remain viable, security policies must have:
– A responsible manager
– A schedule of reviews
– A method for making recommendations for reviews
– A policy issuance and revision date
– Automated policy management

• InfoSec operations that are specifically managed as

separate entities are called “programs.”
• An example would be a security education, training, and
awareness (SETA) program or a risk management
program.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Security education, training, and awareness
(SETA) program
Once your organization has defined the policies that will guide
its security program, it is time to implement a security
education, training, and awareness (SETA) program.

• Everyone in an organization needs to be trained and made

aware of information security, but not everyone needs a
formal degree or certificate in information security.

• Security training provides employees with detailed

information and hands-on instruction to prepare them to
perform their duties securely.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Security Education, Training, and Awareness
Program
• Once a general security policy exists, implement a security
education, training, and awareness (SETA) program.
• SETA is a control measure designed to reduce accidental
security breaches.
• The SETA program consists of security education, security
training, and security awareness.
• It enhances security by improving awareness, developing skills
and knowledge, and building in-depth knowledge.
• A security awareness program is one of the least frequently
implemented but most beneficial programs in an organization.

• Everyone in an organization needs to be trained and

aware of information security; not every member
needs a formal degree or certificate in information
security.

• When formal education is deemed appropriate, an

employee can investigate courses in continuing
education from local institutions of higher learning.

• A number of universities have formal coursework in

information security.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Security Training

• Provides members of the organization with detailed

information and hands-on instruction to prepare
them to perform their duties securely.

• Management of information security can develop

customized in-house training or outsource the
training program.

• Alternatives to formal training include conferences

and programs offered through professional
organizations.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Security Awareness

• One of the least frequently implemented but most

beneficial programs is the security awareness program.

• It is designed to keep information security at the

forefront of users’ minds.

• It need not be complicated or expensive.

• If the program is not actively implemented, employees

may begin to neglect security matters, and risk of
employee accidents and failures is likely to increase.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Table 4-6 Comparative Framework of SETA
Education Training Awareness
Attribute Why How What
Objective Understanding Skill Exposure
Teaching method Theoretical instruction Practical instruction Media
• Discussion seminar • Lecture • Videos
• Background reading • Case study workshop • Newsletters
• Hands-on practice • Posters
Test measure Essay (interpret Problem solving (apply • True or False
learning) learning) • Multiple
choice
(identify
learning)
Impact timeframe Long term Intermediate Short term

Source: NIST SP 800-12

• Incident response plans (IRPs), disaster recovery plans

(DRPs), and business continuity plans (BCPs)
• Primary functions of the above plans:
– IRP focuses on immediate response; if the attack escalates
or is disastrous, process changes to DRP and BCP.
– DRP typically focuses on restoring systems after disasters
occur; as such, it is closely associated with BCP.
– BCP occurs concurrently with DRP when damage is major or
ongoing, requiring more than simple restoration of
information and information resources.

• Before planning can actually begin, a team has to

start the process
– Champion: high-level manager to support, promote,
and endorse findings of the project
– Project manager: leads project and ensures sound
project planning process is used, a complete and
useful project plan is developed, and project
resources are prudently managed
– Team members: should be managers, or their
representatives, from various communities of interest:
business, IT, and information security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 4-13 Contingency planning timeline

• Includes the following steps:

– Develop CP policy statement
– Conduct business impact analysis
– Identify preventive controls
– Create contingency strategies
– Develop contingency plan
– Ensure plan testing, training, and exercises
– Ensure plan maintenance

• Should contain the following sections:

– Introductory statement of philosophical perspective
– Statement of scope/purpose
– Call for periodic risk assessment/BIA
– Specification of CP’s major components
– Call for/guidance in the selection of recovery options
– Requirement to test the various plans regularly
– Identification of key regulations and standards
– Identification of key people responsible for CP operations
– Challenge to the organization members for support
– Administrative information

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Business Impact Analysis (BIA)
• Investigation and assessment of various adverse events that
can affect organization
• Assumes security controls have been bypassed, have failed, or
have proven ineffective, and the attack has succeeded
• Organization should consider scope, plan, balance, knowledge
of objectives, and follow-ups
• Three stages:
– Determine mission/business processes and recovery
criticality
– Identify recovery priorities for system resources
– Identify resource requirements

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
RPO, RTO, WRT, and MTD
Recovery Point Objective (RPO) Work Recovery Time (WRT)
Recovery Time Objective (RTO) Maximum Tolerable Downtime (MTD)

https://defaultreasoning.com/2013/12/10/rpo-rto-wrt-mtd/

• Incident response planning includes identification of,

classification of, and response to an incident.
• Attacks are classified as incidents if they:
– Are directed against information assets
– Have a realistic chance of success
– Could threaten confidentiality, integrity, or availability
of information resources
• Incident response is more reactive than proactive,
with the exception of planning that must occur to
prepare IR teams to be ready to react to an incident.

• Incident response policy identifies the following key

components:
– Statement of management commitment
– Purpose/objectives of policy
– Scope of policy
– Definition of InfoSec incidents and related terms
– Organizational structure
– Prioritization or severity ratings of incidents
– Performance measures
– Reporting and contact forms
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Incident Response Planning (3 of 8)

• Incident Planning
– Predefined responses enable the organization to react
quickly and effectively to the detected incident if:
▪ The organization has an IR team
▪ The organization can detect the incident
– IR team consists of individuals needed to handle systems
as incident takes place
• Incident response plan
– Format and content
– Storage
– Testing

• Incident detection
– Most common occurrence is complaint about
technology support, often delivered to help desk.
– Careful training is needed to quickly identify and
classify an incident.
– Once incident is properly identified, the organization
can respond.
– Incident indicators vary.

• Incident reaction
– Consists of actions that guide the organization to stop
incidents, mitigate their impact, and provide information for
recovery
– Actions that must occur quickly:
▪ Notification of key personnel
▪ Documentation of the incident
• Incident containment strategies
– Containment of the incident’s scope or impact is first priority;
must then determine which information systems are affected.

―Organization can stop incident and attempt to recover

control through a number or strategies
• Incident recovery
– Once incident has been contained and control of
systems regained, the next stage is recovery.
– The first task is to identify human resources needed
and launch them into action.
– Full extent of the damage must be assessed.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Incident Response Planning (7 of 8)
– Organization repairs vulnerabilities, addresses any
shortcomings in safeguards, and restores data and
services of the systems.
• Damage assessment
– Several sources of information on damage can be used,
including system logs, intrusion detection logs,
configuration logs and documents, documentation from
incident response, and results of detailed assessment of
systems and data storage.
– Computer evidence must be carefully collected,
documented, and maintained to be usable in formal or
informal proceedings.

– Individuals who assess damage need special training.

• Automated response
– New systems can respond to incident threats
autonomously.
– The downsides of current automated response
systems may outweigh the benefits.
▪ Legal liabilities of a counterattack
▪ Ethical issues

• Disaster recovery planning (DRP) is preparation for and

recovery from a disaster.
• The contingency planning team must decide which
actions constitute disasters and which constitute
incidents.
• When situations are classified as disasters, plans
change as to how to respond; take action to secure most
valuable assets to preserve value for the longer term.
• DRP strives to reestablish operations at the primary site.

• BCP prepares the organization to reestablish or relocate

critical business operations during a disaster that affects
operations at the primary site.
• If disaster has rendered the current location unusable,
there must be a plan to allow business to continue
functioning.
• Development of BCP is somewhat simpler than IRP or
DRP.
– It consists primarily of selecting a continuity strategy and
integrating off-site data storage and recovery functions into
this strategy.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Business Continuity Planning (2 of 3)
• Continuity strategies
– There are a number of strategies for planning for business continuity.
– The determining factor in selecting between options is usually cost.
– In general, there are three exclusive options: hot sites, warm sites, and
cold sites.
– "cold" (facility is prepared), "warm" (equipment is in place), "hot" (operational data is loaded)
– There are three shared functions: time-share, service bureaus, and mutual
agreements.
– Time-sharing in BCP refers to an arrangement where multiple
organizations share the use of a disaster recovery facility or data
center.
– Service bureaus in BCP are external providers that offer specific
disaster recovery and business continuity services
– Mutual agreements in BCP are reciprocal arrangements between two
or more organizations to support each other during a disruption.

• Off-site disaster data storage

– To get sites up and running quickly, an organization must
have the ability to move data into new site’s systems.
– Options for getting operations up and running include:
▪ Electronic vaulting: involves the transfer of backup data to
a remote location, typically over a network, at regular
intervals.
▪ Remote journaling: involves the real-time or near-real-time
transfer of transaction logs or journal entries to a remote
location.
▪ Database shadowing: maintaining an exact, real-time copy
(or shadow) of a database at a remote location.

• Actions taken in response to an emergency should

minimize injury/loss of life, preserve organization’s
image/market share, and complement disaster
recovery/business continuity processes.
• What may truly distinguish an incident from a disaster
are the actions of the response teams.
• Disaster recovery personnel must know their roles
without any supporting documentation.
– Preparation
– Training
– Rehearsal

• Crisis management team is responsible for

managing the event from an enterprise perspective
and covers:
– Supporting personnel and families during crisis
– Determining impact on normal business operations
and, if necessary, making disaster declaration
– Keeping the public informed
– Communicating with major customers, suppliers,
partners, regulatory agencies, industry organizations,
the media, and other interested parties

• Key areas of crisis management also include:

– Verifying personnel head count
– Checking alert roster
– Checking emergency information cards

• Single document set approach combines all aspects

of contingency policy and plan, incorporating IR, DR,
and BC plans.
• Often created and stored electronically, it should be
easily accessible by employees in time of need.
– Small- and medium-sized organizations may also
store hard copies of the document.

• When incident at hand constitutes a violation of law, the

organization may determine involving law enforcement is
necessary.
• Questions:
– When should law enforcement get involved?
– What level of law enforcement agency should be involved
(local, state, federal)?
– What happens when a law enforcement agency is
involved?
• Some questions are best answered by the legal
department.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Benefits and Drawbacks of Law Enforcement
Involvement (1 of 2)
• Advantages of involving law enforcement agencies:
– Agencies may be better equipped at processing
evidence.
– Organization may be less effective in extracting the
necessary information to legally convict a suspected
criminal.
– Law enforcement agencies are prepared to handle
any necessary warrants and subpoenas.
– Law enforcement is skilled at obtaining witness
statements and other information collection.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Benefits and Drawbacks of Law Enforcement
Involvement (2 of 2)
• Disadvantages of involving law enforcement
agencies:
– Once a law enforcement agency takes over the case,
the organization cannot control the chain of events.
– The organization may not hear about the case for
weeks or months.
– Equipment vital to the organization’s business may be
tagged as evidence.
– If the organization detects a criminal act, it is legally
obligated to involve appropriate law enforcement
officials.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
The next 3 P’s
4- Protection
The protection function is executed via a set of risk management activities, as well as
protection mechanisms, technologies, and tools. Each of these mechanisms or
safeguards represents some aspect of the management of specific controls in the
overall InfoSec plan.

5- People
People are the most critical link in the InfoSec program. This area encompasses
security personnel (the professional information security employees), the security of
personnel (the protection of employees and their information), and aspects of the
SETA program mentioned earlier.

6- Project management
Whether an InfoSec manager is asked to roll out a new security training program or
select and implement a new firewall, it is important that the process be managed as a
project. The final element for thoroughgoing InfoSec management is the application
of a project management discipline to all elements of the InfoSec program.

In choosing the framework to use for an information security blueprint,

the organization should consider adapting or adopting a recognized or
widely accepted information security model backed or promoted by
an established security organization or agency.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
The ISO 27000 Series (1 of 8)
• One of the most widely referenced security models
• Standard framework for information security that states
organizational security policy is needed to provide
management direction and support
• Purpose is to give recommendations for information security
management
• Provides a starting point for developing organizational security.
• While the details of the ISO/IEC 27000 series are available
only to those who purchase the standard, its structure and
general organization are well known and are becoming
increasingly significant for all who work in information security.

• ISO/IEC 27000—Information security management

systems; overview and vocabulary
• ISO/IEC 27001—Information technology; security
techniques; information security management
systems
• ISO/IEC 27002—Code of practice for information
security management
• ISO/IEC 27003—Information security management
system implementation guidance

• ISO/IEC 27004—Information security management;

measurement
• ISO/IEC 27005—Information security risk
management
• ISO/IEC 27006—Requirements for bodies providing
audit and certification of information security
management systems
• ISO/IEC 27007—Guidelines for information security
management systems auditing (focused on the
management system)

• ISO/IEC TR 27008—Guidance for auditors on ISMS

controls (focused on the information security
controls)
• ISO/IEC 27010—Information security management
for inter-sector and inter-organizational
communications
• ISO/IEC 27011—Information security management
guidelines for telecommunications organizations
based on ISO/IEC 27002

• ISO/IEC 27013—Guidance on the integrated

implementation of ISO/IEC 27001 and ISO/IEC
20000-1
• ISO/IEC 27014—Information security governance.
• ISO/IEC TR 27015—Information security
management guidelines for financial services
• ISO/IEC 27017—Code of practice for
information security controls based on ISO/
IEC 27002 for cloud services

• ISO/IEC 27018—Code of practice for protection of

personally identifiable information (PII) in public
clouds acting as PII processors
• ISO/IEC 27031—Guidelines for information and
communication technology readiness for business
continuity
• ISO/IEC 27032—Guideline for cybersecurity
• ISO/IEC 27033-1—Network security—Part 1:
Overview and concepts

• ISO/IEC 27033-2—Network security—Part 2:

Guidelines for the design and implementation of
network security
• ISO/IEC 27033-3—Network security—Part 3:
Reference networking scenarios; threats, design
techniques and control issues
• ISO/IEC 27033-5—Network security—Part 5:
Securing communications across networks using
Virtual Private Networks (VPNs)

• ISO/IEC 27034-1—Application security—Part 1:

Guideline for application security
• ISO/IEC 27035—Information security incident
management
• ISO/IEC 27036-3—Information security for supplier
relationships—Part 3: Guidelines for information and
communication technology supply chain security
• ISO/IEC 27037—Guidelines for identification, collection,
acquisition and preservation of digital evidence
• ISO 27799—Information security management in health
using ISO/IEC 27002
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 4-7 ISO/IEC 27001:2013 major
process steps

Source: 27001 Academy: ISO 27001 and ISO 22301 Online Consultation
Center
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
NIST Security Models

• Another possible approach described in the documents

available from the Computer Security Resource Center of
NIST:
– SP 800-12
– SP 800-14
– SP 800-18 Rev. 1
– SP 800-26
– SP 800-30
– Because the NIST documents are publicly available at no charge and have
been for some time, they have been broadly reviewed by government and
industry professionals and were among the references cited by the U.S.
government when it decided not to select the ISO/IEC 17799 (now 27000
series) standards.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
NIST Special Publication 800-14 (1 of 2)

• Security supports the mission of the organization

and is an integral element of sound management.
• Security should be cost effective; owners have
security responsibilities outside their own
organizations.
• Security responsibilities and accountability should be
made explicit; security requires a comprehensive
and integrated approach.

• Security should be periodically reassessed; security

is constrained by societal factors.
• Thirty-three principles for securing systems (see
Table 4-5).

• Consists of three fundamental components:

– Framework core: set of information security activities
an organization is expected to perform and their
desired results
– Framework tiers: help relate the maturity of security
programs and implement corresponding measures
and functions
– Framework profile: used to perform a gap analysis
between the current and a desired state of information
security/risk management

• Seven-step approach to implementing/improving

programs:
– Prioritize and scope
– Orient
– Create current profile
– Conduct risk assessment
– Create target profile
– Determine, analyze, and prioritize gaps
– Implement action plan

• Computer Emergency Response Team Coordination

Center (CERT/CC)
• International Association of Professional Security
Consultants

• Spheres of security: foundation of the security framework

• Levels of controls:
– Management controls set the direction and scope of the
security processes and provide detailed instructions for its
conduct.
– Operational controls address personnel and physical
security and the protection of production inputs/outputs.
– Technical controls are the tactical and technical
implementations related to designing and integrating
security in the organization.

• Defense in depth
– Implementation of security in layers
– Requires that organization establish multiple layers of
security controls and safeguards
• Security perimeter
– Border of security protecting internal systems from
outside threats
– Does not protect against internal attacks from
employee threats or onsite physical threats

• Management has an essential role in the development,

maintenance, and enforcement of information security
policy, standards, practices, procedures, and guidelines.
• Information security blueprint is planning the document
that is the basis for design, selection, and
implementation of all security policies, education and
training programs; and technological controls.

• Information security education, training, and awareness

(SETA) is a control measure that reduces accidental
security breaches and increases organizational
resistance to many other forms of attack.
• Contingency planning (CP) is made up of three
components: incident response planning (IRP), disaster
recovery planning (DRP), and business continuity
planning (BCP).

Ob-A3C25R6i MtwtuSeoyw Module-2.1
No ratings yet
Ob-A3C25R6i MtwtuSeoyw Module-2.1
6 pages
CFS 105 Digital Security Chapter 2 Toolbox Authentication, Access Control, and Cryptography
No ratings yet
CFS 105 Digital Security Chapter 2 Toolbox Authentication, Access Control, and Cryptography
40 pages
Policies-Standards and Planning
No ratings yet
Policies-Standards and Planning
53 pages
ZTE UMTS UR15 Handover Control Feature Guide - V1.2
No ratings yet
ZTE UMTS UR15 Handover Control Feature Guide - V1.2
342 pages
FB 1200
No ratings yet
FB 1200
110 pages
Survey Ppt.1
No ratings yet
Survey Ppt.1
14 pages
Final Report Restaurant Management System
No ratings yet
Final Report Restaurant Management System
36 pages
Ford Acronyms List
No ratings yet
Ford Acronyms List
32 pages
CatOS Commands
No ratings yet
CatOS Commands
740 pages
Information Security - Lecture 5
No ratings yet
Information Security - Lecture 5
87 pages
Debugger v850
No ratings yet
Debugger v850
58 pages
Cad Cam Notes
No ratings yet
Cad Cam Notes
21 pages
CMPS 319: Blueprint For Security
No ratings yet
CMPS 319: Blueprint For Security
56 pages
Mastercam2017 Update1 ReadMe
100% (1)
Mastercam2017 Update1 ReadMe
54 pages
4 ITE403 Whitman Ch04 W4C1
No ratings yet
4 ITE403 Whitman Ch04 W4C1
28 pages
Panelx: Operating Manual
No ratings yet
Panelx: Operating Manual
656 pages
Java - Control Flow Statements
No ratings yet
Java - Control Flow Statements
9 pages
Module 4 Governance Strategy Policy
No ratings yet
Module 4 Governance Strategy Policy
60 pages
Understanding Vmware Products and Solutions Slides
No ratings yet
Understanding Vmware Products and Solutions Slides
27 pages
CHAPTER 7. Managing Secured Systems New
No ratings yet
CHAPTER 7. Managing Secured Systems New
146 pages
Kroenke Mis5e PPT ch04
No ratings yet
Kroenke Mis5e PPT ch04
48 pages
Principles of Information Security
No ratings yet
Principles of Information Security
67 pages
CSG3309 Security Models
No ratings yet
CSG3309 Security Models
61 pages
Principles of Information Security, Fifth Edition
No ratings yet
Principles of Information Security, Fifth Edition
67 pages
Unit 1 - Planning For Security
No ratings yet
Unit 1 - Planning For Security
68 pages
X-It - Board Exam Paer With Key 2022-23
No ratings yet
X-It - Board Exam Paer With Key 2022-23
9 pages
Java Primer
No ratings yet
Java Primer
187 pages
It1050 Ooc
No ratings yet
It1050 Ooc
6 pages
Ad Config
No ratings yet
Ad Config
80 pages
Lesson 7 - Week 7: Prepared By: Prof. Joel Correa Cacho
No ratings yet
Lesson 7 - Week 7: Prepared By: Prof. Joel Correa Cacho
30 pages
Cse 121
No ratings yet
Cse 121
9 pages
CH 2 Security Planning
No ratings yet
CH 2 Security Planning
40 pages
Topic #4 - SIM ARM - Part 3
No ratings yet
Topic #4 - SIM ARM - Part 3
31 pages
NISMAOL
No ratings yet
NISMAOL
2 pages
IS CH 4
No ratings yet
IS CH 4
45 pages
Ict380 Lec4
No ratings yet
Ict380 Lec4
55 pages
18cse383t - Unit 2
No ratings yet
18cse383t - Unit 2
133 pages
EEE 3342C 0002 Syllabus Fall2014
No ratings yet
EEE 3342C 0002 Syllabus Fall2014
3 pages
Unit Iv
No ratings yet
Unit Iv
41 pages
Lecture 3
No ratings yet
Lecture 3
70 pages
Niche Pursuits Content Creation SOP
No ratings yet
Niche Pursuits Content Creation SOP
11 pages
SPGUNIT4
No ratings yet
SPGUNIT4
59 pages
Developing Secure Information System
No ratings yet
Developing Secure Information System
27 pages
1 Lec
No ratings yet
1 Lec
26 pages
CMPS 319: Blueprint For Security
No ratings yet
CMPS 319: Blueprint For Security
56 pages
ITSAC MODULE CHAPTER 5 Week6
No ratings yet
ITSAC MODULE CHAPTER 5 Week6
12 pages
CS3p Legal&Planning
No ratings yet
CS3p Legal&Planning
52 pages
Information Security Policies
No ratings yet
Information Security Policies
44 pages
Unit-4 Logical Design
100% (1)
Unit-4 Logical Design
25 pages
IS Unit - III
No ratings yet
IS Unit - III
85 pages
CC7178 Cyber Security Management: Presenter: Kiran Kumar Shah
No ratings yet
CC7178 Cyber Security Management: Presenter: Kiran Kumar Shah
21 pages
Cyber Law and Policy: Lesson 6 Information Security Policies
No ratings yet
Cyber Law and Policy: Lesson 6 Information Security Policies
51 pages
Chapter 5
No ratings yet
Chapter 5
39 pages
Chapter 5
No ratings yet
Chapter 5
50 pages
Online Analytical Processing (OLAP) Groupwork
No ratings yet
Online Analytical Processing (OLAP) Groupwork
8 pages
Unit 3 (A)
No ratings yet
Unit 3 (A)
70 pages
Planning For Security
100% (1)
Planning For Security
2 pages
05 PlanningForSecurity
No ratings yet
05 PlanningForSecurity
84 pages
Saleh Sadaqah - Motivated Letter
No ratings yet
Saleh Sadaqah - Motivated Letter
1 page
CH 05
No ratings yet
CH 05
66 pages
Data Security Chapter Four Summarize
No ratings yet
Data Security Chapter Four Summarize
13 pages
Lecture 2 - IT Policy and Planning
No ratings yet
Lecture 2 - IT Policy and Planning
35 pages
Cloud Computing Mid Term
No ratings yet
Cloud Computing Mid Term
2 pages
Unit I
No ratings yet
Unit I
33 pages
Security Policy: Chapter Overview
No ratings yet
Security Policy: Chapter Overview
20 pages
ATAL Scheme Document 2025-26 - Final
No ratings yet
ATAL Scheme Document 2025-26 - Final
32 pages
Information Security
No ratings yet
Information Security
7 pages
Internship
No ratings yet
Internship
14 pages
3-Information Security Policies-23-05-2023
No ratings yet
3-Information Security Policies-23-05-2023
44 pages
Week 10-Information Security
100% (1)
Week 10-Information Security
62 pages
Info Security S2 2023 Week 3 Slides
No ratings yet
Info Security S2 2023 Week 3 Slides
62 pages
Unit 4
No ratings yet
Unit 4
31 pages
AIS 7 Chapter 5
No ratings yet
AIS 7 Chapter 5
5 pages
WC - Module 3
No ratings yet
WC - Module 3
72 pages
Information Security UNIT-3 Notes
No ratings yet
Information Security UNIT-3 Notes
48 pages
Module 03
No ratings yet
Module 03
68 pages
CHAPTER1 Datamining
No ratings yet
CHAPTER1 Datamining
33 pages
CCNP Prepared BRKCRT-2016
No ratings yet
CCNP Prepared BRKCRT-2016
72 pages
Information Security Blueprint
No ratings yet
Information Security Blueprint
29 pages
Chapter 7 Cyber Ethics
No ratings yet
Chapter 7 Cyber Ethics
8 pages
C Programming Pointers
No ratings yet
C Programming Pointers
120 pages
Security Governance and Privacy
No ratings yet
Security Governance and Privacy
7 pages
Is 3
No ratings yet
Is 3
8 pages
Clustering in Python-Dr. Afsaneh Javadi
No ratings yet
Clustering in Python-Dr. Afsaneh Javadi
8 pages
Information Security Policy and Formation Lecture 34,35,36
No ratings yet
Information Security Policy and Formation Lecture 34,35,36
50 pages
Isam L4-1
No ratings yet
Isam L4-1
12 pages
Bullets Lesson 4 Planning For Security
No ratings yet
Bullets Lesson 4 Planning For Security
3 pages
Lecture 3
No ratings yet
Lecture 3
28 pages
Ais 7 - C5
No ratings yet
Ais 7 - C5
7 pages
Week13 GRC
No ratings yet
Week13 GRC
23 pages
Concise Guide to CompTIA Security +
From Everand
Concise Guide to CompTIA Security +
alasdair gilchrist
3/5 (2)
CompTIA CASP+ Certification The Ultimate Study Guide To Master the Advanced Security Practitioner Exam
From Everand
CompTIA CASP+ Certification The Ultimate Study Guide To Master the Advanced Security Practitioner Exam
Jake T Mills
No ratings yet
Complete Guide to Building an Information Security Program
From Everand
Complete Guide to Building an Information Security Program
David Rauschendorfer
No ratings yet
Facility Security Principles for Non-Security Practitioners
From Everand
Facility Security Principles for Non-Security Practitioners
Jr. Art B. Crow
No ratings yet