December 4, 2003Security PlanningSlide 3PolicyCurrent Security StateRecommendation and requirementsResponsibility for implementationTimetable and Continuing AttentionPlanning TeamCommitment to PlanOrganizational Security PoliciesAttributes of good policiesExamplesSlide 14Committee on National Security Systems (CNSS).CNSS functionNational Security Telecommunications and Information Systems SecurityNSTISSP-200 (1987) Controlled Access Protection (CAP)NSTISSP-200 (1987) Controlled Access Protection(2)Slide 20Physical SecurityPhysical security in security planPhysical security planDisaster RecoveryContingency planningDisposal of Sensitive MediaTEMPEST: Emanations protectionsSlide 28Before Mid-termBefore MidtermFor FinalsSlide 32Slide 33Slide 34For FinalsSlide 36Current StatusCourtesy of Professors Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1December 4, 2003December 4, 2003Security PlanningSecurity PlanningOverview of CNSS/NSTISSOverview of CNSS/NSTISSPhysical ProtectionPhysical ProtectionLecture 13Lecture 13INFSCI 2935: Introduction to Computer Security 2Security PlanningSecurity PlanningA security planA security planDocument describing how an organization addresses its security needsPeriodically reviewed and revisedCreating a security planCreating a security planWhat it should doWho should write the planHow to acquire support for the planINFSCI 2935: Introduction to Computer Security 3Security PlanningSecurity PlanningA security plan must address the followingA security plan must address the followingPolicyCurrent security stateRecommendations and the requirements to meet the security goalsAccountabilityWho is responsible for a each security activityTimetableFor different security functionsContinuing attention for periodic updateINFSCI 2935: Introduction to Computer Security 4PolicyPolicyShould addressShould addressWho should be allowed to access what resources and how should the access be regulatedShould specifyShould specifyOrganizational security goalsWhere the responsibility lies (accountability policy); limits of responsibilityOrganizational support for securityLegal and ethical aspects?INFSCI 2935: Introduction to Computer Security 5Current Security StateCurrent Security StateCan be determined on the basis of risk Can be determined on the basis of risk analysisanalysisIndicatesIndicatesOrganizational assetsSecurity threats to these assetsControls in place against these threatsINFSCI 2935: Introduction to Computer Security 6Recommendation and Recommendation and requirementsrequirementsIt is important toIt is important toIndicate what requirements are to be imposed in a plan, and over what periodPhase out implementation, and indicate elements of each phase and their time periodsThe plan The plan Must be extensibleMust include a procedure for change and growthShould remain laregely intact through change in the organizationINFSCI 2935: Introduction to Computer Security 7Responsibility for implementationResponsibility for implementationIdentify people/groups responsible for Identify people/groups responsible for implementationimplementationA plan of accountability Some examplesSome examplesPersonal computer users are responsible for their own machineProject leaders for data and computationsDatabase administrators – access and integrity of data in databasesInformation officers for creation and use of data, and retention and disposal of dataPersonnel staff members – responsible for security involving employeesINFSCI 2935: Introduction to Computer Security 8Timetable and Timetable and Continuing AttentionContinuing AttentionTimetable Timetable Expensive and complicated controls need gradual adoptionTraining staff on new controlsContinuing attentionContinuing attentionTimely review and reevaluationUpdate object inventory and list of controlsReview risk analysis to accommodate for parameters that may changeINFSCI 2935: Introduction to Computer Security 9Planning TeamPlanning TeamSizeSizeDepends on the complexity of organization and the degree of commitment to securityOrganizational behavior studies show optimum size of a working committee: 5 – 9Larger committee as oversight bodyCommittee membership should be from each of the Committee membership should be from each of the followingfollowingHardware groupSystems/applications programmersEncryption, protocols, security in OS and networks require systems programming staffData entry personnelPhysical security personnelRepresentative usersINFSCI 2935: Introduction to Computer Security 10Commitment to PlanCommitment to PlanAcceptance of planAcceptance of planNeeds a concise, well-organized report that includes a plan of implementation and justification of costsIndicate accountability, time for accomplishment, continuing reevaluation, etc.Education and publicity to help people understand and Education and publicity to help people understand and accept security planaccept security planManagement commitment depends onManagement commitment depends onUnderstanding cause and potential effects of lack of security (Risk analysis)Cost-effectiveness of security planPresentation of the planINFSCI 2935: Introduction to Computer Security 11Organizational Security PoliciesOrganizational Security PoliciesPurposePurposeA policy is written for several different groupsBeneficiariesTheir needs should be captured in the policyUsersPolicy should indicate acceptable useOwnersPolicy should express the expectation of ownersBalanceNeeds of above groups may conflictBalance the priorities of all affected communitiesINFSCI 2935: Introduction to Computer Security 12Attributes of good policiesAttributes of good policiesPurpose (of the computing facility)Purpose (of the computing facility)E.g., “protect customers’ confidentiality”, “ensure continual usability”Protected resourcesProtected resourcesAll computers? Networks? All data? Customers’ data? etc.ProtectionProtectionWhat degree of protection to which resourcesCoverageCoverageMust be comprehensive enough; general enough to apply to new casesDurabilityDurabilityMust grow and adapt wellRealismRealismProtection requirements must be realizable with existing