Upload
lyquynh
View
218
Download
0
Embed Size (px)
Citation preview
1
02: IT Security Management Basics(IT Security at Scale)
Mathias Fischer
Summer term 2017
2
Outline
Security in organizational structures
IT Security Management
Relation to IT Governance and Compliance
Establishing a Security Policy
Identification of Threats
Risk Assessment and Management
Monitoring Risks and Measures
3
Security in Organizational Structures
Security is interdisciplinary!
To fit security management into organization, best to focus on creation of virtual teams that span entire business to provide comprehensive support to entire organization
Allows senior management to delegate security responsibilities to team leaders, administrative staff, HR teams and facilities management groups, without requiring them to be part of information security manager’s immediate team
[Cam16]
4
Functional Structure for the Security Team
Security operations
– Manage devices
– Monitor external environment
– React to external warnings
Risk management
– Technical and business-level risk assessment
– Setup of risk management plan
– Compliance-related tasks
Security Architecture
– Ensures that security objectives are met
– Extremely specialized people (security architecture specialists, infrastructure architects, database architects)
Security testing
– Team for doing tests
– In small organizations boughtin from externally
[Cam16]
5
IT Security Management
Definition: a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and reliability. [STBR11]
IT security management functions include:
– organizational IT security objectives, strategies and policies
– determining organizational IT security requirements
– identifying and analyzing security threats to IT assets
– identifying and analyzing risks
– specifying appropriate safeguards
– monitoring the implementation and operation of safeguards
– developing and implement a security awareness program
– detecting and reacting to incidents
6
Management support
IT security policy must be supported by senior management
IT security officer required
– Develops and maintain security policies
– Develops and implement security plans
– Handling day-to-day monitoring of the implementation of the plans
– Handling of incidents
Large organizations need IT security officers on major projects/teams
– Manage security process within their areas
7
Organizational context and security policy
First examine organization’s IT security:
– Objectives - wanted IT security outcomes
– Strategies - how to meet objectives
– Policies - identify what needs to be done
IT security maintained and updated regularly
– Using periodic security reviews
– Reflect changing technical/risk environments
8
Security policy: topics to cover
Scope and purpose of the policy
Relationship of the security objectives to, legal and regulatory obligations as well as its business objectives
IT security requirements
Assignment of responsibilities relating to management of IT security and organizational infrastructure
Risk management approach adopted by organization
How security awareness and training has to be handled
General personnel issues and any legal sanctions
Integration of security into system development and procurement
Definition of information classification scheme for company
Contingency and business continuity planning
Incident detection and incident response (including handling processes)
How and when policy needs to be reviewed and to control the changes to it
9
Security Management Begins at Strategic Level (1)
Business Engineering Security Management
Strategic Level/
Security Policy
Definition of company tasks;
Strategic planning
Definition of strategic goals,
Principles and guidelines;
Formulation of company goals from a security perspective
Process Level/
Security Concept
Layout of activities as processes
Translation of policy into measures; risk analysis
System Level/
Mechanisms
Support of processes by using systems;
Analysis and specification of application systems
Detailing of measures via concrete mechanisms
10
Security Management Begins at Strategic Level (2)
Statements for the strategic level:
Who relies on prefabricated solutions only, will lose valuable know-how in the long run.
Heterogeneous IT landscapes protect from accumulation risks.
IT security is more than technology.
Security should be an integral part of processes from the beginning and should not be appended afterwards.
Security should be developed in line with other disciplines, e.g., to use synergies with business engineering.
11
Classification according to technical detail level
IT security at scale: Security Management
Specific IT security mechanismsAttacker model and concrete mechanisms
Design of secure IT systems: Phase model for the design
- Secure operation- Infrastructure- Emergency management- Training- …
- Crypto algorithms- Protocols- IT security mechanisms
Granularity of the technical
description
Importance of
organizational
aspects
12
IT-Governance
IT deployment– Has to be oriented according to the business objectives
– Has to consider risk sufficiently
Comprises– Management concepts
– Structure of organizations
– Processes
Methods– Risk management und risk controlling
– Security management (data protection and data security)
IT-Governance as part of Corporate Governance
13
Corporate Governance
Regulatory framework for management and control of organizations with the goal of responsible and long-term value creation
Level of regulation
– Legal standards
– »Soft Laws« (Recommendations, Framework, Agreements)
Examples for regulations
– OECD – Principles of Corporate Governance
– Germany - Corporate Governance Codex (Verweis in § 161 AktG»Entsprechungserklärung«)
• “§ 161 AktG: Die Vorstände und Aufsichtsräte der börsennotierten Gesellschaften in Deutschland erklären jährlich, »dass den vom Bundesministerium der Justiz im amtlichen Teil des elektronischen Bundesanzeigers bekannt gemachten Empfehlungen der 'Regierungskommission Deutscher Corporate Governance Kodex' entsprochen wurde und wird oder welche Empfehlungen nicht angewendet wurden oder werden. Die Erklärung ist den Aktionären dauerhaft zugängig zu machen.”
14
IT-Governance
IT-Governance
Law and regulatory frameworks
Reference models and frameworks
Operational tasks Institutions and job profiles
Nüttgens, Vukelic 2007
• German Corporate Governance Codex
• SOX, Euro-SOX
• Basel II, Solvency II
• KonTraG
• IT auditor/revisor
• IT controller
• IT compliance analyst
• IT governance institute
• ISACA
• Business IT-Alignment
• Control, Organization
• Risk management
• IT compliance
• IT controlling
• COSO-Model
• IT Infrastructure Library
• CobiT
• ISO 27001
• BSI Grundschutz
15
IT-Compliance
The compliance with legal requirements and external guidelines is a central maxim of IT Governance and is denoted IT Compliance.
Implications for the
security management?
KonTraG
BDSG
SOX
Euro-SOX
Basel II
Solvency II
IT-SiG
16
Overview on Important Guidelines
Binding for whom? Impact on Security Management
KonTraGMany German corporations
indirect; Risk management and risk control systems have to be installed; IT security-related risks that have the potential to endanger the existence of the whole company
BDSGAll organizations in Germany
direct; describes how to handle specific data; demands concrete mechanisms, e.g., access control (compare “Anlage zu§ 9 Satz 1“)
IT-SiGAll organizations in Germany
direct; operators of critical infrastructures, ISPs, and service providers have to maintain a minimum level of IT security, obligation to report and notify
SOXAll companies that are part of US stock exchanges
indirect; demands internal control system; correct financial reporting requires correct function of IT and thus also requires IT security
Euro-SOX
Bigger companies and corporations that are listed at the stock exchange
indirect; demands internal risk management and risk control system
Basel IIFinancial institutions in Europe
direct; internal control system has to be implemented; risks have to be assessed; MaRisk: Demands usage of popular ISMS standards
Solvency IIInsurance companies in Europe
analog to Basel II, but exact realization blurry; demands internal control system; Risk have to be assessed
17
Conclusion on IT-Compliance Guidelines
BDSG and IT-Sicherheitsgesetz: concrete requirements on information security
Others: indirect implications
– Operational internal control systems (assess IT-related risks)
– Correct financial reporting (if done on the basis of IT)
– Detection and treatment of risks that endanger the existence of the organization (also IT-related security risks)
Laws do not state explicitly, how to implement and to prove these requirements
Management is personally liable according to SOX, KonTraG in cases of culpable negligence, hence:
– Usage of well-established IT security standards
– Audits as proof
18
IT-Sicherheitsgesetz
“Artikelgesetz”
– Valid since July 2016
– Changes and complements amongst others the “BSI-, BKA-, Telemedien-, TK-, Atom- und Energiewirtschaftsgesetz”
Addressees: ca. 2000 organizations according to preamble
– Operators of critical infrastructures
• High importance for the functioning of society
– ISPs, service providers, …
• Social Media, Online Shopping, Online Banking, …
Fines for violations (§ 14 Abs. 2 BSI-Gesetz)
– Up to 100.000 EUR, if operator of critical infrastructure cannot proof fulfillment of requirements (every 2 years)
– Up to 50.000 EUR in all other cases
Concretion via regulation (§ 10 Abs. 1 BSI-Gesetz)
19
IT-Sicherheitsgesetz – Typical Requirements
Achieving and maintaining minimum level of IT security (§ 8a Abs. 1 BSI-Gesetz)
– Adoption of an Information Security Management System (ISMS) – like ISO 27001 or BSI 100-1
– Conducting Risk analysis, e.g., according to BSI 100-3
Obligation of proof (“Nachweispflicht”) (§ 8a Abs. 3 BSI-Gesetz)
– Presumably via Grundschutz- or ISO27001-Certificate
– Nomination of a contact point for IT security, e.g., an IT security officer
Obligation for operators of critical infrastructures to report significant disturbances in IT security to the BSI (§ 8b Abs. 4 BSI-Gesetz)
– Mentioning the operator: necessary when disturbance actually led to outage or other negative impact
– Otherwise: obligation to report without naming the operator
20
ISMS Information Security Management System
ISMS-Views
Identify
Treat
Analyze
Monitor
Init
Security-Concept
Implementation
Maintenance
Plan
Check
Do
Act
»Operator«: Grundschutz procedure
model (security policy, security concept,
implementation, maintenance during
operation)
»Management«: Deming-Circle
(Plan, Do, Check, Act)
»Controller«: Risk management
(Identify, Analyze, Treat, Monitor)
21
Deming Cycle: Plan – Do – Check - Act
Act
Plan
Do
Check
Interested
Parties
Information
Security
Needs
Managed
Security
Managed
Security
Take corrective and preventative actions (based on audits)
Assess, measure, and report results
Implement and operate policy, controls, processes
Establish security policy; define objectives and processes
22
IT security management process
IT security management needs to be key part of organization‘s overall management plan
IT security risk assessment needs to be incorporated into wider risk assessment of organization
IT management as cyclic process
– Needs to be constantly repeated
– Changes in IT technology and risk environment can be rapidly
[STBR11, ISO27005]
23
From threats to security incidents
Why IT Security Management?
– Protection of company values (assets)
– Requirement by business partners
– Gaining trust
– IT-Compliance
Organization
Asset 3
Asset 1
Asset 2
Threats, e.g.,
- Virus, worms
- DoS
- Hacking
- Espionage
- Social Engineering
Threats, e.g.,
- Virus, worms
- DoS
- Hacking
- Espionage
- Social Engineering
Security goals
- CIA
- Accountability
- Controlled Access
Security goals
- CIA
- Accountability
- Controlled Access
Measures
- Proactive
- Reactive
Measures
- Proactive
- Reactive
Vulnerabilities, e.g.,
- Configuration errors
- Buffer Overflows
Vulnerabilities, e.g.,
- Configuration errors
- Buffer Overflows
[Nowey, 2011]
24
Security Management
Security management requires the following measures
1. Development of a security policy
2. Creation of a security concept
3. Realization/implementation of IT security measures
4. Maintenance of IT security during normal operation
Security as part of management
– Should be an explicit management goal
Init
Security Concept
Implementation
Maintenance
25
Developing a security policy
1. Creation of a team for IT security management
2. Formulation of company goals from a security perspective
To be integrated:
– Business policy and culture of company
– Specific characteristics of the company
– IT strategy
– Regulatory framework
Warning
– Do not use pre-formulated text, policy templates, or policy generators!
Init
Security Concept
Implementation
Maintenance
26
Establishing a security concept
1. Threat model
• Recognize and formulate all relevant potential threats
2. Risk analysis
• Rating of threats
3. Definition of assets to be protected and more concrete security requirements
4. Security Architecture
• Create a concept for its realization
Sometimes instead of 1. and 2.: trust model
»What is required?« and not »What is possible?«
Init
Security Concept
Implementation
Maintenance
27
Threat vs. Trust Model
Threat model Trust model
Risk analysis
Definition of assets to be protected and more concrete security requirements
Concept of Implementation (security architecture)
What is threatened? Whom can I trust?
Preferentially for the realization
of safety aspects
Preferentially for the realization
of security aspects
28
Risk Management Circle
Identify
Treat
Analyze
MonitorRisk =
P(Event) x Damage
29
Identification of Threats
Which threats are relevant for the object/asset that has to be protected?
Methods & Tools
– Checklists and workshops
– Threat- and attack trees
– Analyzing scenarios
– Historical data
Problems
– All threats need to be covered
Local network failure
Power
failure
Misconfiguration of
PC settings
Misconfiguration of
network devices
Disconnection of
cables
Malicious
person
User
mistake
Malicious
person
Admin
mistake
30
Identification of Threats – Checklists and Workshops: STRIDE (1)
Threat categories of the Security Development Lifecycle (SDL)
Questions
How can an attacker change the authentication data?
What is the impact if an attacker can read the user profile data?
What happens if access is denied to the user profile database?
STRIDE
Spoofing identity
– Example: illegally accessing and then using another user's authentication information, such as username and password.
Tampering with data.
– involves the malicious modification of data.
– Examples: unauthorized changes made to persistent data and alteration of data on transfer between two computers over open network
The STRIDE Threat Model. Microsoft, 2002
https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
31
Identification of Threats – Checklists and Workshops: STRIDE (2)
Repudiation
– Associated with users who deny action without other parties can prove otherwise
• Example: user performs an illegal operation in a system that lacks the ability to trace the prohibited operations
– Nonrepudiation refers to ability of a system to counter repudiation threats
• Example, user who purchases item might have to sign for item upon receipt
• Vendor can then use signed receipt as evidence that user did receive package
Information disclosure
– Involve exposure of information to individuals who are not supposed to have access to it
– Example: ability of users to read file that they were not granted access to, or ability of intruder to read data in transit between two computers
Denial of service
– DoS attacks deny service to valid users
– Example: making web server temporarily unavailable or unusable
Elevation of privilege
– Unprivileged user gains privileged access, so that he can compromise or destroy system
– Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself
32
Elevation of Privilege (EoP) Card Game
Elevation of Privilege (EoP) is easy way to get started with threat modeling
EoP card game helps clarify details of threat modeling and examines possible threats to software and computer systems
The EoP game focuses on the STRIDE threats
https://www.microsoft.com/en-us/sdl/adopt/eop.aspx
Source: microsoft.com
33
Identification of Threats - Brainstorming
One not very systematic approach is producing arbitrary threat lists by any ad-hoc brainstorming method
Example: Hospital Information System
– Corruption of patient medical information
– Corruption of billing information
– Disclosure of confidential patient information
– Compromise of internal schedules
– Unavailability of confidential patient information
– ...
Drawbacks of this approach:
– Questionable completeness of identified threats
– Lack of rationale for identified threats other than experience
– Potential inconsistencies, e.g., disclosure vs. unavailability of confidential patient information in example above
34
Identification of Threats – Threat Trees (1)
Which threats are relevant for the respective asset?
Also known as attack trees
Example:
Local network failure
Power
failure
Misconfiguration of
PC settings
Misconfiguration of
network devices
Disconnection of
cables
Malicious
person
User
mistake
Malicious
person
Admin
mistake
35
Identification of Threats – Threat Trees (2)
Definition: A threat tree is a tree with:
– Nodes describing threats at different levels of abstractions, and
– Subtrees refining threat of node they are rooted at
– Child nodes give complete refinement of threat represented by parent node
Technique for establishing threat trees:
– Start with general, abstract description of complete set of threats for given system, e.g., “security of system X compromised”
– Iteratively, introduce detail by carefully refining description
– Each node becomes subtree root describing threats represented by it
– Eventually, each leaf node of tree provides description of threat that can be used for a (less arbitrary) threat list
The main idea of this technique is to postpone the creation of (arbitrary) threat lists as much as possible
36
Identification of Threats – Threat Trees (3) - Example
Hospital System Threats
Patient Medical Information Non Patient Medical Information
Life Threatening Non Life Threatening
Disclosure Integrity
Billing Non Billing
Denial of Service... ...
[Amo94]
At each level of refinement the child nodes of a node must maintain demonstrable completeness to allow for confidence that nothing is missing
...
37
Identification of Threats – Threat Trees (4) - Example
These relations can be used to infer composed threat:– Augment nodes with effort estimations (e.g. easy, moderate, high)
– OR-related composed threat inferred as the lowest effort value subtree (the attacker will most likely take the easy way...)
– For conjunction, infer highest effort (all threats have to be realized)
• Child nodes can have different relations to parent nodes
• Two most common relations are AND and OR:
Disjunction Conjunction
Threat
Subthreat Subthreat
OR
Threat
Subthreat Subthreat
AND
38
Identification of Threats – Threat Trees (5) - Example
Appropriate attributes are, e.g., estimated criticality and attacker effort for individual threats
Threat trees can help to gain insight where to spend resources to decrease overall system’s vulnerability:
Threat
Subthreat A Subthreat B
Criticality = 4Effort = 2
Risk = 2
Criticality = 6Effort = 1
Risk = 6
Threat
Subthreat A Subthreat B
Criticality = 4Effort = 2
Risk = 2
Criticality = 6Effort = 3
Risk = 2
• Second threat tree re-evaluates risk after protective measure has been taken to increase the attacker’s effort for subthreat B
• Here, risk is assessed as: Risk = Criticality / Effort
OR OR
39
A High Level Model for Internet-Based IT-Infrastructure
Private Networks Mobile Communication NetworksPublic Internet
...
AccessNetwork
Web-Server
ISP Networks Support Infrastructure
Network Management
DNSServer
...
40
A High Level Threat Tree for Internet-Based IT-Infrastructures
41
A Threat Tree for a Safe
42
Risk Assessment
How probable is the occurrence and how large the damage of a potential attack?
Methods & Tools
– Qualitative assessment
– Quantitative assessment
– Game theory
– Worst-case Assessment(“Maximalwirkungsanalyse”)
Problems
– Dependency on assets
– Strategic attackers
– Correlations
– Quantification
low med high
low
med
high
Probability of occurrence
Da
ma
ge
Risk
43
Risk Management
Question
– »Which risks should be handled and how?«
Methods
– Risk avoidance
– Risk treatment (e.g., according to IT-Grundschutz and ISO 27002)
– Risk transfer
– Risk acceptance
Challenges
– Complexity of problem statement
– Finding suitable sample solutions
– Composition of a security system out of different security sub-components
44
Risk Management for IT Systems (1)
Risk Analysis
Total risk Risk avoidance
Safeguards
Limitation of Damage
Risk transferSecurity Architecture
Disaster
plan
Insurances
Schaumüller-Bichl 1992
Remaining risk
45
Risk Management for IT Systems (2)
Risk Analysis
Total risk Risk avoidance
Safeguards
Limitation of Damage
Risk transferSecurity Architecture
Disaster
plan
Insurances
Schaumüller-Bichl 1992
Remaining risk
46
Risk Management for IT Systems (3)Emergency- or Disaster Plan to Limit Damage
IT security concept cannot prevent damage / avoid risk by 100%
– Emergency plan should be part of planning
Method
– Back-Up plan (computing center, data)
– Operation during an emergency (graceful degradation, …)
– Restoration plans
Loss of availability
– Emergency plans are primarily targeted on the fast restoration of availability
Loss of integrity
– Damage can occur slowly
– Difficult to restore, Backup concepts can help
Loss of confidentiality
– Damage can occur slowly
– Nearly impossible to restore, as deletion of all copies not possible
47
Risk Management for IT Systems (4)
Risk Analysis
Total risk Risk avoidance
Safeguards
Limitation of Damage
Risk transferSecurity Architecture
Disaster
plan
Insurances
Schaumüller-Bichl 1992
Remaining risk
48
Überwälzung
Risk Management for IT Systems (5)
Risk transfer not applicable
on data protection
(and when it comes to
criminal law)
Risk Analysis
Total risk Risk avoidance
Safeguards
Limitation of Damage
Risk transferSecurity Architecture
Disaster
plan
Schaumüller-Bichl 1992
Remaining risk
Insurances
49
Risk Management for IT Systems (6)
IT security
– Risk = Probability of occurrence · Damage
– Damages are systematically tolerable
Data protection
– All-or-nothing approach
– Legal requirements must be implemented
Risk transfer
Risk analysis
Total risk Risk avoidance
Safeguards
Limitations of damage
Security architecture
Disaster
plan
Insurances
Remaining risk
50
Risk Management for IT Systems (7)
low med high
low
med
high
Probability of occurrence
Da
ma
ge
Risk
51
Risk Management for IT Systems (8)
Typical positions for risk avoidance, acceptance, and transfer
low med high
low
med
highRisk
transfer
Risk
accep-
tance
Safeguards
Risk avoidance
Probability of occurrence
Da
ma
ge
52
Monitoring Risks and Measures (1)
Questions
– Are the measures effective and efficient?
– How secure is the organization?
Methods
– Characteristic numbers (or metrics) and scorecard systems
– Return on Security Investment (ROSI)
Challenges
– To use the “right” characteristic numbers
– Measure/obtain them in the “right” way
– Keep characteristic numbers up-to-date
Loomans, 2002
53
Monitoring Risks and Measures (2)
Questions
– Are the measures effective and efficient?
– How secure is the organization?
Much does not necessarily help much, it depends on how the money is spent!
Investment
Marginal CostsMarginal Utility
54
Monitoring Risks and Measures (3)
Questions
– Are the measures effective and efficient?
– How secure is the organization?
Much does not necessarily help much, it depends on how the money is spent!
Effectivity
= to use the right measures
– Less is sometimes more.
Problems
– Functions are difficult to obtain
– Functions are not continuous, security measures usually follow binary decisions
55
Basis: Quantitative Data
Data for the characterization of risks
– Probability of occurrence
– Damage
– Distribution function
Requirements of data sources
– High data quality and timeliness
– Completeness and targeted on organization
– Simplicity
56
Potential Sources for quantitative Data
Source Example Assessment
Expert judgements
Interviews with internal or external experts
CSI/FBI Survey
Often used, but cannot be measured. Subjective and incomplete
SimulationsHistorical or Monte Carlo simulations
Not widely known
Good, when no data is available to start with
Market mechanisms
Capital market analyzes
Bug Challenges
Derivative products
Not applicable to all areas. Not available until now.
Historical dataCERTs/CSIRTs
Internal SIEM-Systems
In other areas widely used.
Quality of forecast?
Hardly available
57
sec-compare: Collaborative IT Security Management
Idea
– Designing system for the collection of quantitative data about security mechanisms and security incidents in organizations
Goal
– Data basis that contains information on damage, probability of occurrence, and probability distributions for security incidents in different organizations
Different possibilities for the usage of this data
– Risk assessment, evaluation of investment decisions
– Benchmarking of organizations
– Evaluation of correlations in between incidents
– Knowledge transfer in between organizations
58
External
Sources
External
Sources
CERTs
Honeynets
Experts
Studies
Platform
Provider
Participant A
Participant B
Participant C
Incident
data
Aggreg.
data
Additional
data
sec-compare: Basic Architecture
59
sec-compare: Security Benchmarking
Easy participation
– No registration necessary
– Providing data on organization is optional
Fast assessment
– Questionnaire-based
– Duration: 30 – 60 min
Options for comparison
– With other companies (basic population - “Grundgesamtheit”)
– With selected questionnaires
• Replies of colleagues, consultants, superiors,...
• Compare own questionnaires over time
Serves as first self-assessment, does not replace a detailed security analysis
http://sec-compare.de
60
Return on Security Investment (ROSI)
Question
– »Have the measures been effective and efficient? How secure is the organization?«
ROSI
– Based on the ALE concept (Annual Loss Expenditure) from the 70s
– Represents analogy to classic Return on Investment
– Different presentation forms and enhancements
ROSI – Return on Security Investment – – »Savings« by avoiding
most likely damages minus costs for security measures
61compare: Pohlmann 2006
Return on Security Investment (ROSI)
R Recovery costs – costs of most likely damages
S Savings – reduction of costs of most likely damages
T Total Costs – costs of measures
ALE Annual Loss Expenditure – remaining costs after incident
ALE = R – S + T
ROSI = R – ALE
ROSI = S – T
ROSI – Return on Security Investment – »Savings« by avoiding potential damages minus costs for security measures
62compare: Pohlmann 2006
Return on Security Investment (ROSI)
Example
– Web service
• Savings – reduction of costs of most likely damages
S = 100.000 EUR per year (customer and image loss)
• Total Costs – costs of measures/safeguards
T = 5.000 EUR per year (Certificate, Firewall, Updates etc.)
ROSI = S – T = 95.000 EUR p.a.
ROSI – Return on Security Investment – »Savings« by avoiding potential damages minus costs for security measures
63
Return on Security Investment (ROSI)
ROSI criticism
– Costs and benefits difficult to assess different to classical investment projects
– It is not only about operative decisions: security management starts on strategic level
What is the benefit?
– Compliance towards legal requirements,
– Generation of additional income
– Efficiency gains
– Reduction of risks
What are the costs?
– Costs for procurement, adoption, operation,
– Costs for changes in processes and operations
Risk management approach on operational level required
64
Risk management circle
Identification
Control
Evaluation
Monitoring
Checklists
Workshops
Experts
Histor. data
Checklists
Workshops
Experts
Histor. data
Basic approach
Categories
Quantitative
methods
Basic approach
Categories
Quantitative
methods
Best Practice
Scoring
Quantitative
Methods
Best Practice
Scoring
Quantitative
Methods
Checklisten
Scorecards
Characteristic
numbers
Checklisten
Scorecards
Characteristic
numbers
Risk =
Probability of
occurrence· Damage
65
Criteria Landscape for Security-related Standards
Security-related standards exists for
– Process/procedure models for security management
– Special security functionality (e.g., Cryptography)
– Certification and Audits
– ...
Partially also sector-specific standards (e.g., banking)
[BK13]
Evaluation of IT-SecuritySystems for managing
information security
Security measures
and monitoring
Physical SecurityCryptographic protocols
and IT Security procedures
Architecture level
Scope
Evaluation
Guideline
Technology
Product System Process Environment
66
Security Management Standards in the Context of this Lecture
ISO 27000 Family
Family of ISO/IEC Information Security Management Systems (ISMS) standards
Developed by International Organization of Standardization (ISO)
Different standards that address
– Requirements to an ISMS
– Code of practices
– System implementation guidance
– Measurement of effectiveness of ISM
– Security risk management
– Audits and Certification
BSI IT-Grundschutz
Developed by the “Bundesamt fürSicherheit in der Informationstechnik(BSI)“
Compatible to ISO 2700x
No detailed risk analysis as in ISO 27005
Concrete threats, no assessment of their probability of occurrence and damage
Three protection levels for assets
Catalogue provides corresponding measures/safeguards for asset depending on protection level
67
References
[ISO27001] ISO/IEC, “ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements,” 2005.
[ISO27002] ISO/IEC, “ISO/IEC 27002:2005—Information technology—Security techniques—Code of practice for information security management,” 2005. Formerly known as ISO/IEC 17755:2005.
[ISO27003] ISO/IEC, “ISO/IEC 27002:2010 - Information security management system implementation guidance”, 2005
[ISO27005] ISO/IEC, “ISO/IEC 27005:2008—Information technology—Security techniques—Information security risk management,” 2008.
[NIST02] National Institute of Standards and Technology. Risk Management Guide for Information Technology Systems . Special Publication 800-30, July 2002.
[STBR11] William Stallings and Lawrie Brown, „Computer Security – Principles and Practice“. Hardcover, 816 pages, Pearson, 2nd ed, 2011
[Amo94] E. Amoroso. Fundamentals of Computer Security Technology. Prentice Hall. 1994.
[Cam16] Tony Campbell. Practical Information Security Management - A Complete Guide to Planning and Implementation. Apress. 2016
[BK13] BITKOM, Kompass der IT-Sicherheitsstandards. 2013.https://www.bitkom.org/noindex/Publikationen/2013/Leitfaden/Kompass-der-IT-Sicherheitsstandards/Kompass-der-IT-Sicherheitsstandards-it-sa-Broschuere-Web.pdf