December 4, 2003Security PlanningSlide 3PolicyCurrent Security StateRecommendation and requirementsResponsibility for implementationTimetable and Continuing AttentionPlanning TeamCommitment to PlanOrganizational Security PoliciesAttributes of good policiesExamplesSlide 14Committee on National Security Systems (CNSS).CNSS functionNational Security Telecommunications and Information Systems SecurityNSTISSP-200 (1987) Controlled Access Protection (CAP)NSTISSP-200 (1987) Controlled Access Protection(2)Slide 20Physical SecurityPhysical security in security planPhysical security planDisaster RecoveryContingency planningDisposal of Sensitive MediaTEMPEST: Emanations protectionsSlide 28Before Mid-termBefore MidtermFor FinalsSlide 32Slide 33Slide 34For FinalsSlide 36Current StatusCourtesy of Professors Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1December 4, 2003December 4, 2003Security PlanningSecurity PlanningOverview of CNSS/NSTISSOverview of CNSS/NSTISSPhysical ProtectionPhysical ProtectionLecture 13Lecture 13INFSCI 2935: Introduction to Computer Security 2Security PlanningSecurity PlanningA security planA security planDocument describing how an organization addresses its security needsPeriodically reviewed and revisedCreating a security planCreating a security planWhat it should doWho should write the planHow to acquire support for the planINFSCI 2935: Introduction to Computer Security 3Security PlanningSecurity PlanningA security plan must address the followingA security plan must address the followingPolicyCurrent security stateRecommendations and the requirements to meet the security goalsAccountabilityWho is responsible for a each security activityTimetableFor different security functionsContinuing attention for periodic updateINFSCI 2935: Introduction to Computer Security 4PolicyPolicyShould addressShould addressWho should be allowed to access what resources and how should the access be regulatedShould specifyShould specifyOrganizational security goalsWhere the responsibility lies (accountability policy); limits of responsibilityOrganizational support for securityLegal and ethical aspects?INFSCI 2935: Introduction to Computer Security 5Current Security StateCurrent Security StateCan be determined on the basis of risk Can be determined on the basis of risk analysisanalysisIndicatesIndicatesOrganizational assetsSecurity threats to these assetsControls in place against these threatsINFSCI 2935: Introduction to Computer Security 6Recommendation and Recommendation and requirementsrequirementsIt is important toIt is important toIndicate what requirements are to be imposed in a plan, and over what periodPhase out implementation, and indicate elements of each phase and their time periodsThe plan The plan Must be extensibleMust include a procedure for change and growthShould remain laregely intact through change in the organizationINFSCI 2935: Introduction to Computer Security 7Responsibility for implementationResponsibility for implementationIdentify people/groups responsible for Identify people/groups responsible for implementationimplementationA plan of accountability Some examplesSome examplesPersonal computer users are responsible for their own machineProject leaders for data and computationsDatabase administrators – access and integrity of data in databasesInformation officers for creation and use of data, and retention and disposal of dataPersonnel staff members – responsible for security involving employeesINFSCI 2935: Introduction to Computer Security 8Timetable and Timetable and Continuing AttentionContinuing AttentionTimetable Timetable Expensive and complicated controls need gradual adoptionTraining staff on new controlsContinuing attentionContinuing attentionTimely review and reevaluationUpdate object inventory and list of controlsReview risk analysis to accommodate for parameters that may changeINFSCI 2935: Introduction to Computer Security 9Planning TeamPlanning TeamSizeSizeDepends on the complexity of organization and the degree of commitment to securityOrganizational behavior studies show optimum size of a working committee: 5 – 9Larger committee as oversight bodyCommittee membership should be from each of the Committee membership should be from each of the followingfollowingHardware groupSystems/applications programmersEncryption, protocols, security in OS and networks require systems programming staffData entry personnelPhysical security personnelRepresentative usersINFSCI 2935: Introduction to Computer Security 10Commitment to PlanCommitment to PlanAcceptance of planAcceptance of planNeeds a concise, well-organized report that includes a plan of implementation and justification of costsIndicate accountability, time for accomplishment, continuing reevaluation, etc.Education and publicity to help people understand and Education and publicity to help people understand and accept security planaccept security planManagement commitment depends onManagement commitment depends onUnderstanding cause and potential effects of lack of security (Risk analysis)Cost-effectiveness of security planPresentation of the planINFSCI 2935: Introduction to Computer Security 11Organizational Security PoliciesOrganizational Security PoliciesPurposePurposeA policy is written for several different groupsBeneficiariesTheir needs should be captured in the policyUsersPolicy should indicate acceptable useOwnersPolicy should express the expectation of ownersBalanceNeeds of above groups may conflictBalance the priorities of all affected communitiesINFSCI 2935: Introduction to Computer Security 12Attributes of good policiesAttributes of good policiesPurpose (of the computing facility)Purpose (of the computing facility)E.g., “protect customers’ confidentiality”, “ensure continual usability”Protected resourcesProtected resourcesAll computers? Networks? All data? Customers’ data? etc.ProtectionProtectionWhat degree of protection to which resourcesCoverageCoverageMust be comprehensive enough; general enough to apply to new casesDurabilityDurabilityMust grow and adapt wellRealismRealismProtection requirements must be realizable with existing
View Full Document