1

02: IT Security Management Basics(IT Security at Scale)

Mathias Fischer

Summer term 2017

2

Outline

Security in organizational structures

IT Security Management

Relation to IT Governance and Compliance

Establishing a Security Policy

Identification of Threats

Risk Assessment and Management

Monitoring Risks and Measures

3

Security in Organizational Structures

Security is interdisciplinary!

To fit security management into organization, best to focus on creation of virtual teams that span entire business to provide comprehensive support to entire organization

Allows senior management to delegate security responsibilities to team leaders, administrative staff, HR teams and facilities management groups, without requiring them to be part of information security manager’s immediate team

[Cam16]

4

Functional Structure for the Security Team

Security operations

– Manage devices

– Monitor external environment

– React to external warnings

Risk management

– Technical and business-level risk assessment

– Setup of risk management plan

– Compliance-related tasks

Security Architecture

– Ensures that security objectives are met

– Extremely specialized people (security architecture specialists, infrastructure architects, database architects)

Security testing

– Team for doing tests

– In small organizations boughtin from externally

[Cam16]

5

IT Security Management

Definition: a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and reliability. [STBR11]

IT security management functions include:

– organizational IT security objectives, strategies and policies

– determining organizational IT security requirements

– identifying and analyzing security threats to IT assets

– identifying and analyzing risks

– specifying appropriate safeguards

– monitoring the implementation and operation of safeguards

– developing and implement a security awareness program

– detecting and reacting to incidents

6

Management support

IT security policy must be supported by senior management

IT security officer required

– Develops and maintain security policies

– Develops and implement security plans

– Handling day-to-day monitoring of the implementation of the plans

– Handling of incidents

Large organizations need IT security officers on major projects/teams

– Manage security process within their areas

7

Organizational context and security policy

First examine organization’s IT security:

– Objectives - wanted IT security outcomes

– Strategies - how to meet objectives

– Policies - identify what needs to be done

IT security maintained and updated regularly

– Using periodic security reviews

– Reflect changing technical/risk environments

8

Security policy: topics to cover

Scope and purpose of the policy

Relationship of the security objectives to, legal and regulatory obligations as well as its business objectives

IT security requirements

Assignment of responsibilities relating to management of IT security and organizational infrastructure

Risk management approach adopted by organization

How security awareness and training has to be handled

General personnel issues and any legal sanctions

Integration of security into system development and procurement

Definition of information classification scheme for company

Contingency and business continuity planning

Incident detection and incident response (including handling processes)

How and when policy needs to be reviewed and to control the changes to it

9

Security Management Begins at Strategic Level (1)

Business Engineering Security Management

Strategic Level/

Security Policy

Definition of company tasks;

Strategic planning

Definition of strategic goals,

Principles and guidelines;

Formulation of company goals from a security perspective

Process Level/

Security Concept

Layout of activities as processes

Translation of policy into measures; risk analysis

System Level/

Mechanisms

Support of processes by using systems;

Analysis and specification of application systems

Detailing of measures via concrete mechanisms

10

Security Management Begins at Strategic Level (2)

Statements for the strategic level:

Who relies on prefabricated solutions only, will lose valuable know-how in the long run.

Heterogeneous IT landscapes protect from accumulation risks.

IT security is more than technology.

Security should be an integral part of processes from the beginning and should not be appended afterwards.

Security should be developed in line with other disciplines, e.g., to use synergies with business engineering.

11

Classification according to technical detail level

IT security at scale: Security Management

Specific IT security mechanismsAttacker model and concrete mechanisms

Design of secure IT systems: Phase model for the design

- Secure operation- Infrastructure- Emergency management- Training- …

- Crypto algorithms- Protocols- IT security mechanisms

Granularity of the technical

description

Importance of

organizational

aspects

12

IT-Governance

IT deployment– Has to be oriented according to the business objectives

– Has to consider risk sufficiently

Comprises– Management concepts

– Structure of organizations

– Processes

Methods– Risk management und risk controlling

– Security management (data protection and data security)

IT-Governance as part of Corporate Governance

13

Corporate Governance

Regulatory framework for management and control of organizations with the goal of responsible and long-term value creation

Level of regulation

– Legal standards

– »Soft Laws« (Recommendations, Framework, Agreements)

Examples for regulations

– OECD – Principles of Corporate Governance

– Germany - Corporate Governance Codex (Verweis in § 161 AktG»Entsprechungserklärung«)

• “§ 161 AktG: Die Vorstände und Aufsichtsräte der börsennotierten Gesellschaften in Deutschland erklären jährlich, »dass den vom Bundesministerium der Justiz im amtlichen Teil des elektronischen Bundesanzeigers bekannt gemachten Empfehlungen der 'Regierungskommission Deutscher Corporate Governance Kodex' entsprochen wurde und wird oder welche Empfehlungen nicht angewendet wurden oder werden. Die Erklärung ist den Aktionären dauerhaft zugängig zu machen.”

14

IT-Governance

IT-Governance

Law and regulatory frameworks

Reference models and frameworks

Operational tasks Institutions and job profiles

Nüttgens, Vukelic 2007

• German Corporate Governance Codex

• SOX, Euro-SOX

• Basel II, Solvency II

• KonTraG

• IT auditor/revisor

• IT controller

• IT compliance analyst

• IT governance institute

• ISACA

• Business IT-Alignment

• Control, Organization

• Risk management

• IT compliance

• IT controlling

• COSO-Model

• IT Infrastructure Library

• CobiT

• ISO 27001

• BSI Grundschutz

15

IT-Compliance

The compliance with legal requirements and external guidelines is a central maxim of IT Governance and is denoted IT Compliance.

Implications for the

security management?

KonTraG

BDSG

SOX

Euro-SOX

Basel II

Solvency II

IT-SiG

16

Overview on Important Guidelines

Binding for whom? Impact on Security Management

KonTraGMany German corporations

indirect; Risk management and risk control systems have to be installed; IT security-related risks that have the potential to endanger the existence of the whole company

BDSGAll organizations in Germany

direct; describes how to handle specific data; demands concrete mechanisms, e.g., access control (compare “Anlage zu§ 9 Satz 1“)

IT-SiGAll organizations in Germany

direct; operators of critical infrastructures, ISPs, and service providers have to maintain a minimum level of IT security, obligation to report and notify

SOXAll companies that are part of US stock exchanges

indirect; demands internal control system; correct financial reporting requires correct function of IT and thus also requires IT security

Euro-SOX

Bigger companies and corporations that are listed at the stock exchange

indirect; demands internal risk management and risk control system

Basel IIFinancial institutions in Europe

direct; internal control system has to be implemented; risks have to be assessed; MaRisk: Demands usage of popular ISMS standards

Solvency IIInsurance companies in Europe

analog to Basel II, but exact realization blurry; demands internal control system; Risk have to be assessed

17

Conclusion on IT-Compliance Guidelines

BDSG and IT-Sicherheitsgesetz: concrete requirements on information security

Others: indirect implications

– Operational internal control systems (assess IT-related risks)

– Correct financial reporting (if done on the basis of IT)

– Detection and treatment of risks that endanger the existence of the organization (also IT-related security risks)

Laws do not state explicitly, how to implement and to prove these requirements

Management is personally liable according to SOX, KonTraG in cases of culpable negligence, hence:

– Usage of well-established IT security standards

– Audits as proof

18

IT-Sicherheitsgesetz

“Artikelgesetz”

– Valid since July 2016

– Changes and complements amongst others the “BSI-, BKA-, Telemedien-, TK-, Atom- und Energiewirtschaftsgesetz”

Addressees: ca. 2000 organizations according to preamble

– Operators of critical infrastructures

• High importance for the functioning of society

– ISPs, service providers, …

• Social Media, Online Shopping, Online Banking, …

Fines for violations (§ 14 Abs. 2 BSI-Gesetz)

– Up to 100.000 EUR, if operator of critical infrastructure cannot proof fulfillment of requirements (every 2 years)

– Up to 50.000 EUR in all other cases

Concretion via regulation (§ 10 Abs. 1 BSI-Gesetz)

19

IT-Sicherheitsgesetz – Typical Requirements

Achieving and maintaining minimum level of IT security (§ 8a Abs. 1 BSI-Gesetz)

– Adoption of an Information Security Management System (ISMS) – like ISO 27001 or BSI 100-1

– Conducting Risk analysis, e.g., according to BSI 100-3

Obligation of proof (“Nachweispflicht”) (§ 8a Abs. 3 BSI-Gesetz)

– Presumably via Grundschutz- or ISO27001-Certificate

– Nomination of a contact point for IT security, e.g., an IT security officer

Obligation for operators of critical infrastructures to report significant disturbances in IT security to the BSI (§ 8b Abs. 4 BSI-Gesetz)

– Mentioning the operator: necessary when disturbance actually led to outage or other negative impact

– Otherwise: obligation to report without naming the operator

20

ISMS Information Security Management System

ISMS-Views

Identify

Treat

Analyze

Monitor

Init

Security-Concept

Implementation

Maintenance

Plan

Check

Do

Act

»Operator«: Grundschutz procedure

model (security policy, security concept,

implementation, maintenance during

operation)

»Management«: Deming-Circle

(Plan, Do, Check, Act)

»Controller«: Risk management

(Identify, Analyze, Treat, Monitor)

21

Deming Cycle: Plan – Do – Check - Act

Act

Plan

Do

Check

Interested

Parties

Information

Security

Needs

Managed

Security

Managed

Security

Take corrective and preventative actions (based on audits)

Assess, measure, and report results

Implement and operate policy, controls, processes

Establish security policy; define objectives and processes

22

IT security management process

IT security management needs to be key part of organization‘s overall management plan

IT security risk assessment needs to be incorporated into wider risk assessment of organization

IT management as cyclic process

– Needs to be constantly repeated

– Changes in IT technology and risk environment can be rapidly

[STBR11, ISO27005]

23

From threats to security incidents

Why IT Security Management?

– Protection of company values (assets)

– Requirement by business partners

– Gaining trust

– IT-Compliance

Organization

Asset 3

Asset 1

Asset 2

Threats, e.g.,

- Virus, worms

- DoS

- Hacking

- Espionage

- Social Engineering

Threats, e.g.,

- Virus, worms

- DoS

- Hacking

- Espionage

- Social Engineering

Security goals

- CIA

- Accountability

- Controlled Access

Security goals

- CIA

- Accountability

- Controlled Access

Measures

- Proactive

- Reactive

Measures

- Proactive

- Reactive

Vulnerabilities, e.g.,

- Configuration errors

- Buffer Overflows

Vulnerabilities, e.g.,

- Configuration errors

- Buffer Overflows

[Nowey, 2011]

24

Security Management

Security management requires the following measures

1. Development of a security policy

2. Creation of a security concept

3. Realization/implementation of IT security measures

4. Maintenance of IT security during normal operation

Security as part of management

– Should be an explicit management goal

Init

Security Concept

Implementation

Maintenance

25

Developing a security policy

1. Creation of a team for IT security management

2. Formulation of company goals from a security perspective

To be integrated:

– Business policy and culture of company

– Specific characteristics of the company

– IT strategy

– Regulatory framework

Warning

– Do not use pre-formulated text, policy templates, or policy generators!

Init

Security Concept

Implementation

Maintenance

26

Establishing a security concept

1. Threat model

• Recognize and formulate all relevant potential threats

2. Risk analysis

• Rating of threats

3. Definition of assets to be protected and more concrete security requirements

4. Security Architecture

• Create a concept for its realization

Sometimes instead of 1. and 2.: trust model

»What is required?« and not »What is possible?«

Init

Security Concept

Implementation

Maintenance

27

Threat vs. Trust Model

Threat model Trust model

Risk analysis

Definition of assets to be protected and more concrete security requirements

Concept of Implementation (security architecture)

What is threatened? Whom can I trust?

Preferentially for the realization

of safety aspects

Preferentially for the realization

of security aspects

28

Risk Management Circle

Identify

Treat

Analyze

MonitorRisk =

P(Event) x Damage

29

Identification of Threats

Which threats are relevant for the object/asset that has to be protected?

Methods & Tools

– Checklists and workshops

– Threat- and attack trees

– Analyzing scenarios

– Historical data

Problems

– All threats need to be covered

Local network failure

Power

failure

Misconfiguration of

PC settings

Misconfiguration of

network devices

Disconnection of

cables

Malicious

person

User

mistake

Malicious

person

Admin

mistake

30

Identification of Threats – Checklists and Workshops: STRIDE (1)

Threat categories of the Security Development Lifecycle (SDL)

Questions

How can an attacker change the authentication data?

What is the impact if an attacker can read the user profile data?

What happens if access is denied to the user profile database?

STRIDE

Spoofing identity

– Example: illegally accessing and then using another user's authentication information, such as username and password.

Tampering with data.

– involves the malicious modification of data.

– Examples: unauthorized changes made to persistent data and alteration of data on transfer between two computers over open network

The STRIDE Threat Model. Microsoft, 2002

https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

31

Identification of Threats – Checklists and Workshops: STRIDE (2)

Repudiation

– Associated with users who deny action without other parties can prove otherwise

• Example: user performs an illegal operation in a system that lacks the ability to trace the prohibited operations

– Nonrepudiation refers to ability of a system to counter repudiation threats

• Example, user who purchases item might have to sign for item upon receipt

• Vendor can then use signed receipt as evidence that user did receive package

Information disclosure

– Involve exposure of information to individuals who are not supposed to have access to it

– Example: ability of users to read file that they were not granted access to, or ability of intruder to read data in transit between two computers

Denial of service

– DoS attacks deny service to valid users

– Example: making web server temporarily unavailable or unusable

Elevation of privilege

– Unprivileged user gains privileged access, so that he can compromise or destroy system

– Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself

32

Elevation of Privilege (EoP) Card Game

Elevation of Privilege (EoP) is easy way to get started with threat modeling

EoP card game helps clarify details of threat modeling and examines possible threats to software and computer systems

The EoP game focuses on the STRIDE threats

https://www.microsoft.com/en-us/sdl/adopt/eop.aspx

Source: microsoft.com

33

Identification of Threats - Brainstorming

One not very systematic approach is producing arbitrary threat lists by any ad-hoc brainstorming method

Example: Hospital Information System

– Corruption of patient medical information

– Corruption of billing information

– Disclosure of confidential patient information

– Compromise of internal schedules

– Unavailability of confidential patient information

– ...

Drawbacks of this approach:

– Questionable completeness of identified threats

– Lack of rationale for identified threats other than experience

– Potential inconsistencies, e.g., disclosure vs. unavailability of confidential patient information in example above

34

Identification of Threats – Threat Trees (1)

Which threats are relevant for the respective asset?

Also known as attack trees

Example:

Local network failure

Power

failure

Misconfiguration of

PC settings

Misconfiguration of

network devices

Disconnection of

cables

Malicious

person

User

mistake

Malicious

person

Admin

mistake

35

Identification of Threats – Threat Trees (2)

Definition: A threat tree is a tree with:

– Nodes describing threats at different levels of abstractions, and

– Subtrees refining threat of node they are rooted at

– Child nodes give complete refinement of threat represented by parent node

Technique for establishing threat trees:

– Start with general, abstract description of complete set of threats for given system, e.g., “security of system X compromised”

– Iteratively, introduce detail by carefully refining description

– Each node becomes subtree root describing threats represented by it

– Eventually, each leaf node of tree provides description of threat that can be used for a (less arbitrary) threat list

The main idea of this technique is to postpone the creation of (arbitrary) threat lists as much as possible

36

Identification of Threats – Threat Trees (3) - Example

Hospital System Threats

Patient Medical Information Non Patient Medical Information

Life Threatening Non Life Threatening

Disclosure Integrity

Billing Non Billing

Denial of Service... ...

[Amo94]

At each level of refinement the child nodes of a node must maintain demonstrable completeness to allow for confidence that nothing is missing

...

37

Identification of Threats – Threat Trees (4) - Example

These relations can be used to infer composed threat:– Augment nodes with effort estimations (e.g. easy, moderate, high)

– OR-related composed threat inferred as the lowest effort value subtree (the attacker will most likely take the easy way...)

– For conjunction, infer highest effort (all threats have to be realized)

• Child nodes can have different relations to parent nodes

• Two most common relations are AND and OR:

Disjunction Conjunction

Threat

Subthreat Subthreat

OR

Threat

Subthreat Subthreat

AND

38

Identification of Threats – Threat Trees (5) - Example

Appropriate attributes are, e.g., estimated criticality and attacker effort for individual threats

Threat trees can help to gain insight where to spend resources to decrease overall system’s vulnerability:

Threat

Subthreat A Subthreat B

Criticality = 4Effort = 2

Risk = 2

Criticality = 6Effort = 1

Risk = 6

Threat

Subthreat A Subthreat B

Criticality = 4Effort = 2

Risk = 2

Criticality = 6Effort = 3

Risk = 2

• Second threat tree re-evaluates risk after protective measure has been taken to increase the attacker’s effort for subthreat B

• Here, risk is assessed as: Risk = Criticality / Effort

OR OR

39

A High Level Model for Internet-Based IT-Infrastructure

Private Networks Mobile Communication NetworksPublic Internet

...

AccessNetwork

Web-Server

ISP Networks Support Infrastructure

Network Management

DNSServer

...

40

A High Level Threat Tree for Internet-Based IT-Infrastructures

41

A Threat Tree for a Safe

42

Risk Assessment

How probable is the occurrence and how large the damage of a potential attack?

Methods & Tools

– Qualitative assessment

– Quantitative assessment

– Game theory

– Worst-case Assessment(“Maximalwirkungsanalyse”)

Problems

– Dependency on assets

– Strategic attackers

– Correlations

– Quantification

low med high

low

med

high

Probability of occurrence

Da

ma

ge

Risk

43

Risk Management

Question

– »Which risks should be handled and how?«

Methods

– Risk avoidance

– Risk treatment (e.g., according to IT-Grundschutz and ISO 27002)

– Risk transfer

– Risk acceptance

Challenges

– Complexity of problem statement

– Finding suitable sample solutions

– Composition of a security system out of different security sub-components

44

Risk Management for IT Systems (1)

Risk Analysis

Total risk Risk avoidance

Safeguards

Limitation of Damage

Risk transferSecurity Architecture

Disaster

plan

Insurances

Schaumüller-Bichl 1992

Remaining risk

45

Risk Management for IT Systems (2)

Risk Analysis

Total risk Risk avoidance

Safeguards

Limitation of Damage

Risk transferSecurity Architecture

Disaster

plan

Insurances

Schaumüller-Bichl 1992

Remaining risk

46

Risk Management for IT Systems (3)Emergency- or Disaster Plan to Limit Damage

IT security concept cannot prevent damage / avoid risk by 100%

– Emergency plan should be part of planning

Method

– Back-Up plan (computing center, data)

– Operation during an emergency (graceful degradation, …)

– Restoration plans

Loss of availability

– Emergency plans are primarily targeted on the fast restoration of availability

Loss of integrity

– Damage can occur slowly

– Difficult to restore, Backup concepts can help

Loss of confidentiality

– Damage can occur slowly

– Nearly impossible to restore, as deletion of all copies not possible

47

Risk Management for IT Systems (4)

Risk Analysis

Total risk Risk avoidance

Safeguards

Limitation of Damage

Risk transferSecurity Architecture

Disaster

plan

Insurances

Schaumüller-Bichl 1992

Remaining risk

48

Überwälzung

Risk Management for IT Systems (5)

Risk transfer not applicable

on data protection

(and when it comes to

criminal law)

Risk Analysis

Total risk Risk avoidance

Safeguards

Limitation of Damage

Risk transferSecurity Architecture

Disaster

plan

Schaumüller-Bichl 1992

Remaining risk

Insurances

49

Risk Management for IT Systems (6)

IT security

– Risk = Probability of occurrence · Damage

– Damages are systematically tolerable

Data protection

– All-or-nothing approach

– Legal requirements must be implemented

Risk transfer

Risk analysis

Total risk Risk avoidance

Safeguards

Limitations of damage

Security architecture

Disaster

plan

Insurances

Remaining risk

50

Risk Management for IT Systems (7)

low med high

low

med

high

Probability of occurrence

Da

ma

ge

Risk

51

Risk Management for IT Systems (8)

Typical positions for risk avoidance, acceptance, and transfer

low med high

low

med

highRisk

transfer

Risk

accep-

tance

Safeguards

Risk avoidance

Probability of occurrence

Da

ma

ge

52

Monitoring Risks and Measures (1)

Questions

– Are the measures effective and efficient?

– How secure is the organization?

Methods

– Characteristic numbers (or metrics) and scorecard systems

– Return on Security Investment (ROSI)

Challenges

– To use the “right” characteristic numbers

– Measure/obtain them in the “right” way

– Keep characteristic numbers up-to-date

Loomans, 2002

53

Monitoring Risks and Measures (2)

Questions

– Are the measures effective and efficient?

– How secure is the organization?

Much does not necessarily help much, it depends on how the money is spent!

Investment

Marginal CostsMarginal Utility

54

Monitoring Risks and Measures (3)

Questions

– Are the measures effective and efficient?

– How secure is the organization?

Much does not necessarily help much, it depends on how the money is spent!

Effectivity

= to use the right measures

– Less is sometimes more.

Problems

– Functions are difficult to obtain

– Functions are not continuous, security measures usually follow binary decisions

55

Basis: Quantitative Data

Data for the characterization of risks

– Probability of occurrence

– Damage

– Distribution function

Requirements of data sources

– High data quality and timeliness

– Completeness and targeted on organization

– Simplicity

56

Potential Sources for quantitative Data

Source Example Assessment

Expert judgements

Interviews with internal or external experts

CSI/FBI Survey

Often used, but cannot be measured. Subjective and incomplete

SimulationsHistorical or Monte Carlo simulations

Not widely known

Good, when no data is available to start with

Market mechanisms

Capital market analyzes

Bug Challenges

Derivative products

Not applicable to all areas. Not available until now.

Historical dataCERTs/CSIRTs

Internal SIEM-Systems

In other areas widely used.

Quality of forecast?

Hardly available

57

sec-compare: Collaborative IT Security Management

Idea

– Designing system for the collection of quantitative data about security mechanisms and security incidents in organizations

Goal

– Data basis that contains information on damage, probability of occurrence, and probability distributions for security incidents in different organizations

Different possibilities for the usage of this data

– Risk assessment, evaluation of investment decisions

– Benchmarking of organizations

– Evaluation of correlations in between incidents

– Knowledge transfer in between organizations

58

External

Sources

External

Sources

CERTs

Honeynets

Experts

Studies

Platform

Provider

Participant A

Participant B

Participant C

Incident

data

Aggreg.

data

Additional

data

sec-compare: Basic Architecture

59

sec-compare: Security Benchmarking

Easy participation

– No registration necessary

– Providing data on organization is optional

Fast assessment

– Questionnaire-based

– Duration: 30 – 60 min

Options for comparison

– With other companies (basic population - “Grundgesamtheit”)

– With selected questionnaires

• Replies of colleagues, consultants, superiors,...

• Compare own questionnaires over time

Serves as first self-assessment, does not replace a detailed security analysis

http://sec-compare.de

60

Return on Security Investment (ROSI)

Question

– »Have the measures been effective and efficient? How secure is the organization?«

ROSI

– Based on the ALE concept (Annual Loss Expenditure) from the 70s

– Represents analogy to classic Return on Investment

– Different presentation forms and enhancements

ROSI – Return on Security Investment – – »Savings« by avoiding

most likely damages minus costs for security measures

61compare: Pohlmann 2006

Return on Security Investment (ROSI)

R Recovery costs – costs of most likely damages

S Savings – reduction of costs of most likely damages

T Total Costs – costs of measures

ALE Annual Loss Expenditure – remaining costs after incident

ALE = R – S + T

ROSI = R – ALE

ROSI = S – T

ROSI – Return on Security Investment – »Savings« by avoiding potential damages minus costs for security measures

62compare: Pohlmann 2006

Return on Security Investment (ROSI)

Example

– Web service

• Savings – reduction of costs of most likely damages

S = 100.000 EUR per year (customer and image loss)

• Total Costs – costs of measures/safeguards

T = 5.000 EUR per year (Certificate, Firewall, Updates etc.)

ROSI = S – T = 95.000 EUR p.a.

ROSI – Return on Security Investment – »Savings« by avoiding potential damages minus costs for security measures

63

Return on Security Investment (ROSI)

ROSI criticism

– Costs and benefits difficult to assess different to classical investment projects

– It is not only about operative decisions: security management starts on strategic level

What is the benefit?

– Compliance towards legal requirements,

– Generation of additional income

– Efficiency gains

– Reduction of risks

What are the costs?

– Costs for procurement, adoption, operation,

– Costs for changes in processes and operations

Risk management approach on operational level required

64

Risk management circle

Identification

Control

Evaluation

Monitoring

Checklists

Workshops

Experts

Histor. data

Checklists

Workshops

Experts

Histor. data

Basic approach

Categories

Quantitative

methods

Basic approach

Categories

Quantitative

methods

Best Practice

Scoring

Quantitative

Methods

Best Practice

Scoring

Quantitative

Methods

Checklisten

Scorecards

Characteristic

numbers

Checklisten

Scorecards

Characteristic

numbers

Risk =

Probability of

occurrence· Damage

65

Criteria Landscape for Security-related Standards

Security-related standards exists for

– Process/procedure models for security management

– Special security functionality (e.g., Cryptography)

– Certification and Audits

– ...

Partially also sector-specific standards (e.g., banking)

[BK13]

Evaluation of IT-SecuritySystems for managing

information security

Security measures

and monitoring

Physical SecurityCryptographic protocols

and IT Security procedures

Architecture level

Scope

Evaluation

Guideline

Technology

Product System Process Environment

66

Security Management Standards in the Context of this Lecture

ISO 27000 Family

Family of ISO/IEC Information Security Management Systems (ISMS) standards

Developed by International Organization of Standardization (ISO)

Different standards that address

– Requirements to an ISMS

– Code of practices

– System implementation guidance

– Measurement of effectiveness of ISM

– Security risk management

– Audits and Certification

BSI IT-Grundschutz

Developed by the “Bundesamt fürSicherheit in der Informationstechnik(BSI)“

Compatible to ISO 2700x

No detailed risk analysis as in ISO 27005

Concrete threats, no assessment of their probability of occurrence and damage

Three protection levels for assets

Catalogue provides corresponding measures/safeguards for asset depending on protection level

67

References

[ISO27001] ISO/IEC, “ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements,” 2005.

[ISO27002] ISO/IEC, “ISO/IEC 27002:2005—Information technology—Security techniques—Code of practice for information security management,” 2005. Formerly known as ISO/IEC 17755:2005.

[ISO27003] ISO/IEC, “ISO/IEC 27002:2010 - Information security management system implementation guidance”, 2005

[ISO27005] ISO/IEC, “ISO/IEC 27005:2008—Information technology—Security techniques—Information security risk management,” 2008.

[NIST02] National Institute of Standards and Technology. Risk Management Guide for Information Technology Systems . Special Publication 800-30, July 2002.

[STBR11] William Stallings and Lawrie Brown, „Computer Security – Principles and Practice“. Hardcover, 816 pages, Pearson, 2nd ed, 2011

[Amo94] E. Amoroso. Fundamentals of Computer Security Technology. Prentice Hall. 1994.

[Cam16] Tony Campbell. Practical Information Security Management - A Complete Guide to Planning and Implementation. Apress. 2016

[BK13] BITKOM, Kompass der IT-Sicherheitsstandards. 2013.https://www.bitkom.org/noindex/Publikationen/2013/Leitfaden/Kompass-der-IT-Sicherheitsstandards/Kompass-der-IT-Sicherheitsstandards-it-sa-Broschuere-Web.pdf