Introductionneversys.com/wp-content/uploads/2015/08/Deliverable... · Web viewCOBIT 5 PCI v3.1 The following documentation includes: A high level discussion of the assessment model

COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION


Developed by Jesse C. Schroeder

August 08, 2015

For Western Governors University

Completion of the Masters of Information Security & Assurance

Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY


ContentsIntroduction...................................................................................................................................5

High Level Discussion of the Assessment Model...........................................................................6

Review of Multiple Models........................................................................................................6

NIST Special Publications 800-30 rev. 1, 800-37, & 800-115..................................................6

OSSTMM v3........................................................................................................................... 9

DISA ACAS............................................................................................................................ 10

ISSAF.................................................................................................................................... 11

OWASP Proactive Controls...................................................................................................11

ISO 27001 & 27002..............................................................................................................12

COBIT 5................................................................................................................................ 13

IBM Security Services...........................................................................................................13

PCI v3.1................................................................................................................................ 14

Identification of Necessary Categories....................................................................................15

Sectional Discussion of the Assessment Model and Implementation..........................................17

Comprehensive Policy..............................................................................................................17


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONDocumentation Creation..................................................................................................... 17

Defining Business Requirements..............................................................................................18

Identify Assets......................................................................................................................18

Create Risk Tolerance Levels................................................................................................18

Mitigation Strategies............................................................................................................19

Scheduling................................................................................................................................20

Automated...........................................................................................................................20

Manual.................................................................................................................................21

Security Assessment Automation............................................................................................22

Creating Security Culture.........................................................................................................23

Security Awareness..............................................................................................................23

Updating Documentation........................................................................................................24

Third Party Input..................................................................................................................25

Staff Education Guidance.............................................................................................................25

A Layered Approach.................................................................................................................25

Requirements Driven...........................................................................................................26


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONMeans Driven.......................................................................................................................26

Needs Driven....................................................................................................................... 27

Creation of Initial Security Baseline.............................................................................................28

Initial Implementation.............................................................................................................28

Goal Achievement Metrics.......................................................................................................28

Application of Practice Metrics................................................................................................29

Successive Implementations........................................................................................................30

Planning................................................................................................................................... 30

Tracking................................................................................................................................... 30

Correcting................................................................................................................................ 30

Reporting................................................................................................................................. 31

References................................................................................................................................... 32

Appendix A: RISK ASSESSMENT METHODOLOGY EVALUATION...................................................34



IntroductionThis is a living document and will be altered to fit the needs of the organization that

utilizes this documentation. The purpose of this documentation creates a comprehensive

security assessment system to fulfill the end-user requirements of Innova Corporation. With

this system, the company can use the documentation to create a security baseline for their

organization and use the provided documentation to repeat the same process at satellite

offices. The creation of this documentation is not site specific and can be used by any large

organization to establish or audit the information security model of their operating

environment.

The security model has been developed for Innova Corporation1, which has over 1000

unique user instances. The functional requirements are that the organization takes the

documentation and utilize the process thoroughly and in the order described to determine the

probability of asset loss or compromise on the information systems of the business.

This documentation reviews various security standards and attempts to create a

comprehensive security assessment system for implementation at Innova Corporation. The

documentation reviewed is:

NIST Special Publications 800-30, 800-37, & 800-115

OSSTMM v3

DISA ACAS

ISSAF

OWASP Testing Guide

ISO 27001 & 27002

COBIT 5

PCI v3.1

1 Hypothetical Company


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONThe following documentation includes:

A high level discussion of the assessment model

A sectional discussion of the assessment model and implementation

Guidance for the creation of documentation during implementation

Guidance for the education of implementation staff

A discussion about the creation of an initial security baseline

A discussion about successive implementations

High Level Discussion of the Assessment ModelReview of Multiple Models

The following is a brief overview of the findings in the various models that have

undergone review for the creation of a comprehensive security assessment system for Innova

Corporation. Listings from the research have been placed under the title of each

documentation. These findings will be utilized to identify and create the necessary categories

for the assessment model systemization.

NIST Special Publications 800-30 rev. 1, 800-37, & 800-115

The National Institute of Standards and Technology (NIST) creates multiple publications

every year for multiple industries and is an agency of the United States Department of

Commerce. The focus in this paper is placed upon three reports chosen from the agency in their

information technology sub-section of their publications.

In the 800-30 rev. 1 publication (National Institute of Standards and Technology, 2012),

the documentation describes three risk tiers for the business to manage. The tiers listed are

Organizational, Business Process, and Information Systems. Within each tier, the business will

need to implement four steps of risk management. These include:

Step 1: Frame Risk / Establish Context


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Step 2: Assess Risk

Step 3: Respond to Risk

Step 4: Monitor Risk

The establishment of the three tier system focuses on covering all areas of the business

and utilizes the steps listed above to ensure that each step in the tier is properly documented.

The 800-30 rev.1 publication does not use the tier system to create silos inside the business,

instead all three tiers work together to create a holistic approach.

The NIST 800-30 rev.1 emphasizes living documentation by updating the assessment

framework as needed for each tier of the risk management processes. When it comes to the

conduction of assessments for each tier, there are five steps of the process (National Institute

of Standards and Technology, 2012). These include:

• Identifying the threat source and events that occur

• Identifying the vulnerable areas and current operational conditions

• Determine the likelihood of the exploitation occurrence

• Determine the magnitude of exploitation impact

• Determine the risk level for the organization

The previous list creates a model that emphasizes identifying each threat and

determining information about the threat quickly so that the business can recover and mitigate

any damage.

In the 800-37 publication (National Institute of Standards and Technology, 2010), the

documentation focuses on five areas of security for a business to utilize. These areas include:

• Emphasis Real Time Management

• Clear cost-effective decision in line with mission

• Security culture


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION• Use tools

• Emphasis responsibility / accountability

The five areas, identified above, create a model of security that works alongside the

needs of the business. The 800-37 documentation discusses the used vendor tools for

automation and creates a dependence on making discussions in a cost-effective manner to

mitigate risk. This methodology produces the understanding that it is not necessary to reduce

risks to nonexistence, instead business must chose to accept certain risks based upon a cost

benefit analysis of risk level.

In the 800-115 publication (Scarfone, Souppaya, Cody, & Orebaugh, 2008) there is a

detailed set of instruction for creating a security testing and assessment model. This

documentation lists seven major sections that provide technical guidance for completing the

assessment process and remediation activities. An overview includes:

• Overview of assessments

• Technical examination techniques

• Identification of targets and analyzation for potential vulnerabilities

• Techniques used to validate vulnerabilities

• Planning security assessment

• Key factor in execution of assessment

• Reporting finding and remediation

The 800-115 documentation is extremely detailed with various techniques that can be

utilized in each of the seven sections. An understanding taken from this documentation can be

identified as possibly twelve key areas that have been identified by Yang Xiao (Xiao, 2014):

1. Identify scope

2. Roles and responsibilities

3. Limitation and assumptions


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION4. Systems configuration

5. Network traffic

6. Network rulesets

7. Vulnerability scanning

8. Network discovery

9. Protocol identification

10. Password cracking

11. Social engineering

12. Penetration testing

13. Cause identification

14. Mitigation review

15. Reporting

This list creates a well-defined shorthand of what the 800-115 publication contains. The

NIST report contains too much information for what is to be applied to the scope of the model

for Innova but does have valid sections that will be utilized.

OSSTMM v3

The Open Source Security Testing Methodology Manual (OSSTMM) version 3 offers a

multipurpose usage in its documentation, suggesting that the information can be used for

ethical hacking, penetration testing, or security assessments. The OSSTMM v3 is very detailed

and emphasizes providing only fact based evidence when using its testing methodology

(ISECOM, 2010). Due to this emphasis, the documentation also highly suggests that individuals

become certified to encourage proper implementation of their model. This leads to decision

making that does not lend itself towards a risk based approach due to the subjective nature of

the business defining its own risk tolerance levels.


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONHowever, the OSSTMM v3 does suggest that its model can be adapted for the utilization

of operational security. Innova will be able to implement sections of the OSSTMM v3 into the

mitigation strategies during the creation of the assessment system.

DISA ACAS

The Defense Information Systems Agency (DISA) has released a document called the

Assured Compliance Assessment Solution (ACAS). This documentation can be readily

understood by reading the case study about proper security hygiene documentation release by

Tenable Network Security due to the partnership of the Department of Defense (DoD) and

Tenable.

This case study emphasis five key areas for creating better cyber hygiene in an

organization by utilizing a security hygiene model of network management. These five steps

need to repeat on a regular basis to ensure compliance with the ACAS. These five items include

(Tenable Network Security, 2014):

Inventory all devices on the network

Inventory all software on the network

Develop and manage information security configurations

Automate vulnerability assessments and remediation

Actively manage and control the use of admin privileges

The SANS Institute2 has worked directly with Tenable to create a living document that

contains twenty items for security the information network of an organization (SANS Institute,

2015). This documentation suggests that fifteen out of the twenty items needed for security the

network can be automated. Creating a framework of automation, which encourages the usage

of vendor tools, cuts down on the workload to maintain security and assess the current status

of an information environment.

2 A private United States company specializing in information security and cyber security training. More information can be found at http://www.SANS.org


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONISSAF

The Open Information System Security Group (OISSG) has worked to create the

Information System Security Assessment Framework (ISSAF). Section 6 of this documentation

demonstrates an evaluation checklist for assessing the methodology of a risk assessment

(OISSG, 2004). The documentation addresses eight questions to identify and ensure the proper

areas have been created for a risk assessment. The creation of the model for Innova

Corporation will address these questions3 to ensure the proper development of the desired

model.

OWASP Proactive Controls

The Open Web Application Security Project (OWASP) Proactive Controls discusses a

living documentation model of the top ten strategies for securing a network. At the time of this

writing, OWASP list the following as their top ten (OWASP, 2015):

1. Parameterize Queries

2. Encode Data

3. Validate All Inputs

4. Implement Appropriate Access Controls

5. Establish Identity and Authentication Controls

6. Protect Data and Privacy

7. Implement Logging, Error Handling and Intrusion Detection

8. Leverage Security Features of Frameworks and Security Libraries

9. Include Security-Specific Requirements

10. Design and Architect Security Into Infrastructure

This list is used by establishing a scope of areas that are associated with higher risk

levels. These items are listed in a hierarchical order and should be followed as listed.

3 See Appendix A.


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONUpdates to this list do occur and the list should be monitored on a regular basis to

establish a proper perspective of risk level.

ISO 27001 & 27002

ISO publication 27001 & 27002 are closely linked together in terms of policy

management and scope. These two documents will be addressed together instead of

individually. The implementation of these publications emphasizes the usage of a four stage

model to create a model of comprehensive management. These stages are (Calder & Watkins,

2012):

Plan on how to best implement solutions

Do the work of implementing the solutions discussed

Check to see if the implementations had the desired effect

Act to mitigate any further problems and report on the findings, thus starting the

process again

There are 6 steps in the Plan stage and 5 steps of the Do stage of this model and they

are defined as (Calder & Watkins, 2012):

6 Step Model Plan Stage:

o Define Scope

o Define InfoSec Policy

o Define Systematic Approach to assessment and Criteria

o Implement Approach to discover risks

o Review results and define Mitigation

o Prepare statement of applicability

5 Step Do Stage:

o Create Risk treatment plan

o Implement plan and controls


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONo Arrange staff training

o Manage resources

o Monitoring procedures

These findings will be used to help create the comprehensive security assessment model

for the Innova Corporation. The planning and doing stages of the ISO 27001 & 27002

documentation will be used in the policy and requirements sections of the model for Innova.

COBIT 5

The Information Systems Audit and Control Association (ISACA) released version 5 of the

Control Objectives for Information and Related Technology (COBIT) in April of 2012 (ISACA,

2012) and has continued to develop this implementation. In the documentation, there is a

listing of five key principles that are needed to comply with the COBIT 5 model. These are:

Meet Stakeholder Needs

Cover All Enterprise

Single Integrated Framework

Holistic Approach

Separate Governance from Management

The COBIT model emphasizes ensuring that the needs of the organization are met on a

business level first and that implementation of the model cover the entire organization in a

single comprehensive framework.

IBM Security Services

IBM has released multiple white papers, one of which discusses four key components

that will help secure large organizations. These are (IBM Corporation, 2013):

1. Prioritize business objectives and set risk tolerance


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION2. Protect the organization with a proactive security plan

3. Prepare a response for a sophisticated attack

4. Promote and support a culture of security awareness

These four security practices identify the need to create a plan that emphasizes the needs

of the business first and base the security practices on those needs. The previous four

components can further be broken down into IBM’s ten security essentials, which the

documentation identifies as (IBM Corporation, 2013):

1. Build risk aware culture

2. Manage incidents & respond

3. Defend the workplace

4. Security by design

5. Update systems

6. Control access

7. Isolate services

8. Create a culture of security

9. Inventory assets

10. Identify people and monitor them in the operation

PCI v3.1

The Payment Card Industry (PCI) has a Security Standards Council that releases data

security standards for “consistent data security measures globally (PCI Security Standards

Council, LLC, April, 2015).” In their current standard, released April 2015, PCI includes 6 sections

of identification. These include:

• Build and Maintain a Secure Network and Systems

• Protect Critical Business Data

• Maintain a Vulnerability Management Program

• Implement Strong Access Control Measures


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION• Test Networks

• Maintain an Information Security Policy

The previous sections are then broken down into action steps that organizations can take to

comply with the PCI standard v3.1. The listing below develops a listing that business can

utilized to become PCI compliant.

Configure the following to control network: Proactive Policy (PCI Security Standards Council,

LLC, April, 2015)

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security

parameters

3. Protect stored business data

4. Encrypt transmission of cardholder data across open, public networks

5. Protect all systems against malware and regularly update anti-virus software or

programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

Identification of Necessary Categories

After a study of the previous documentation, it has been found that similar categories

from the documentation can be identified for the creation of a comprehensive security

assessment system. Many of the papers identify the same categories and emphasize their need

in the creation of the Innova security assessment system. The categories were chosen based


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONupon the need to cover all information security areas at Innova Corporation and the ability to

reuse the information during any modification or exportation of the documentation.

These categories have been identified as follows:

Identify the needs of the business

Assessment Automation

Create a schedule for testing and comparison of results

Utilize policy for the entire business

Continue to Update the Documentation

Educate Staff

Create Culture of Security



Sectional Discussion of the Assessment Model and ImplementationComprehensive Policy

The creation of a comprehensive policy to address the security assessment system

includes the four key areas associated with the IBM Security Services. All policies created focus

on an organization wide approach to risk management and all sections of the business need to

work together to promote a culture of security.

1. Prioritize business objectives and set risk tolerance

2. Protect the organization with a proactive security plan

3. Prepare a response for a sophisticated attack

4. Promote and support a culture of security awareness

Documentation Creation

The creation of documentation for a comprehensive policy needs to be based upon an

assessment template framework. This documentation will act as a checklist for the

implementation of policies created for security assessments. The framework includes:

• Stakeholder requirements for proper business governance

• Managed asset categories based upon the identified requirements

o Subcategories listing tools that are used for assessing security

• Reports returned from security assessments listing risk matrix levels

o Mitigation strategies for identified vulnerabilities

• Actions taken towards securing the network by the organization

• Timestamps and professionals responsible for the documentation

Utilizing this framework creates a standard for the comprehensive security assessment

system that can be easily scanned and understood by the professionals working on the


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONinformation systems. Also, with the inclusion of timestamps and names of the responsible

parties, this documentation includes the element of nonrepudiation.

Defining Business Requirements

To define the business requirements of Innova Corporation, the assessment team needs

to take a few initial steps before any further documentation can be created. First the team

must identify the assets. Second, risk tolerance levels need to be created. These two step are

associated with the ISSAF, wherein the initial steps are defined for the creation of risk

association.

Identify Assets

The initial step in creating the assessment model for Innova Corporation is to create an

overview of the business. This is done by identifying all of the assets attached to the

information network. Viewing the definition in the DISA ACAS section of the models, it can be

seen that these assets include:

• Hardware

• Software

• Documentation or Multimedia

• User accounts

• Permissions

Once established, this information needs to be discussed with company stakeholders to

acquire a definitive governance model for the business. This model establishes the

requirements for the continued success of the business. Only the top stakeholders of the

business understand what is required for the continual success of the business model.


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONCreate Risk Tolerance Levels

The creation of risk tolerance levels allows the organization to manage the risk levels

associated with the assets of the business. This is needed because the business cannot focus on

all risks at once. Therefore, a hierarchy of risks needs to be defined for the organization. This

assessment model create three layers of risk: High, Medium, and Low.

These three layers are based upon the probability of asset exploitation and the impact it

may have on the business. To understand which assets may be at a higher risk level than others,

the OWASP Proactive Controls model has been reviewed.

Innova must now take the assets that are identified as critical to the business and

associate them with the current probable levels of exploitation and associate them with a risk

level. Doing this creates the risk matrix for the organization and prioritizes the risks based upon

these ratings. To be clear, this matrix will not become populated until a risk assessment is

implemented at the organization.

Mitigation Strategies

Once assets have been discovered with unacceptable risk levels, mitigation strategies

need to be implemented. These strategies are based upon the tools used to assess the

information systems. Automated tools return varying mitigation strategies. Therefore, it is

required that the organization use multiple sources for scanning the network to identify

vulnerabilities. When the tools return mitigation strategies, the employees must simply follow

the instructions to close the security holes in the network.

It is suggested, but not required, that the company use vendors that supply proof of the

identified vulnerabilities when selecting tools for the use of scanning the network. This means

that the tools will actively exploit vulnerabilities, one such tool is Netsparker4. In this way,

Innova security personnel can have proof that the vulnerability can actually damage the system

4 Information can be found at https://www.netsparker.com/


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONbecause these types of tools do not return vulnerabilities that they cannot exploit, ensuring an

very low or nonexistent false positive rate.

If Innova employees come across vulnerabilities that they do not understand, the

company should call the vendors of the security tools that the implementation team has chosen

and discuss possible ways to fix the unknown problem. Or, if a vulnerability cannot be fixed,

then a meeting needs to be held with the stakeholders to discuss possible mitigation strategies

and a business level.

Scheduling

Two types of scheduling have been identified for creating the assessment system based

upon the NIST 800-37 documentation, automated and manual scheduling. The main purpose of

scheduling the implementations and mitigation strategies of the assessment model are to verify

the implementation procedures and validate mitigation events.

Automated

The automated scheduling is based upon the tools used for implementing part of the

security assessment model. Automation occurs when enabling processes that can be run

without oversight. These processes are the tools selected by the organization for scanning the

network and searching for vulnerabilities. The automated process are maintained by third

parties and the tools develop reports for Innova based upon the settings that are enabled in the

tools.

Creating a list of automated settings that the scanning tools can use will be created

based upon the policies created during the creation of the business requirements and

management policies. Selecting and purchasing tools for the organization will be a joint process

between the stakeholders of the organization and the management team that is implementing

their requirements. Tools change and are updated all the time. However, at the time of this


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONwriting, the tools that Tenable Network Security has created, in conjunction with the identified

requirements from the DoD, are top of class for automatically scanning information networks.

Manual

Manual scheduling for the security assessment system is used to implement the defined

policies by employees of Innova Corporation. This strategy is used when there are changes to

the network and systems at the business, a review needs to be undergone to ensure the

automated tools are running properly, or a security assessment needs to occur.

When implementing a security assessment, it is necessary to schedule the required

working hours to completing the tasks documented in the management section of the

comprehensive policy. Without the proper human resources dedicated to completing the

assessment, there is an unknown chance of successfully securing the information network. If a

secure network cannot be guaranteed, then there is no point in undergoing a partial security

assessment implementation.

The business undergoes a shift in the risk matrix when changes to the network and

systems at the business occur. This is due to implementing a different set of variables into the

network. Depending on what is implemented, huge shifts may occur and leave the critical

resources of the business vulnerable to assault. The only way to ensure the security of the

network is to undergo a security assessment and use the successive implementation model

discussed in this document.

A schedule for reviewing the automated reports from the scanning tools is a

requirement for the completion of security assessment implementation. The staff that is

accountable for implementing and overseeing the tools utilized in the security assessment must

be able to complete their tasks. In this way, the vendors can be held accountable for their tools

that are implemented on the Innova network. If the employees are not allowed the necessary

resources for the completion of their tasks, then the chain of accountability falls apart and,

therefore, the security model.



Security Assessment Automation

As described in the DISA ACAS section of the high level review, multiple sections of the

security assessment model can be automated. This automation is continuous and reports to the

team assign to review this documentation. The main benefits of utilizing automated tools are:

Reduction in labor and reporting error

• Minimize vulnerability exposure

• Shift responsibility

• Constant monitoring

• Consistent report forms

A multitude of automated monitoring tools exist to assess the security posture of an

organization and is beyond the scope of this paper. However, the need for such tools is obvious

due to the benefits described above. When automated tools are used, the reporting error of

humans is reduced to the levels automated in the software. This creates a minimal amount of

error that is shifted to the vendors that supply the tools implemented because those companies

are responsible for the training of Innova employees that are managing their product.

The reduction in labor is justified by the reduction in work hours necessary to

implement the security assessment. Varying tools need a differing amount of oversight and will

cut the workload at a rate based upon that oversight. Also, it is required that Innova choose

tools that utilize constant monitoring of the network for quick identification of vulnerabilities

and risk mitigation. This method reduces the risk of long term vulnerability exposure time to a

minimal level by delivering consistent reporting forms on a scheduled basis to the security

assessment implementation team.

The implementation team will need to review the automated reports and add them to

the living documentation of the security assessment framework. The team will also need to use


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONthese reports when the mitigation procedures take place and add their own documentation

about the results of their work to the assessment documentation.

Creating Security Culture

Developing a security culture at Innova Corporation requires the establishment of trust

in the business and the employees that work there. The consequences of creating a culture of

security at a business involve the prevention of fraud and misuse of information resources

(Ross, 2011). In order to create this culture, the implementation of strategic drivers at the

organization. These drivers include:

Establishing leaders of security

Ensuring a budgetary establishment for security

Utilizing policy to ensure responsibility

Creating security awareness and education programs

The leader of information security at the organization are established through the

creation of the three tier staff education guidance section of this paper. These leaders work

directly with stakeholders to establish security requirements for the organization. The

stakeholders ensure the budgetary requirements for the policies are met due to the security

assessment policies being based upon the business requirements during the creation of policy.

The policies created hold the individuals who implement them responsible. This is one of the

requirements of the comprehensive security assessment system.

Security Awareness

Creating a security awareness and education program for employees at Innova involves:

Input from the stakeholders about the needs of the business

Concise actionable steps employees can take to enact security requirements

Development of a security reporting model for the organization


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION A hold harmless doctrine for reporting to enable the development of trust in the

organization.

All staff members need to attend a minimum of one training session to understand the

requirements being placed upon them by the organization. This will ensure the accountability

of all employees at Innova and allow additional documentation in to the living model of the

security assessment.

Updating Documentation

The documentation of the comprehensive security assessment system will need to be

updated when new information is discovered about the assessment process. This discovery will

come from the implementation of the model, third party documentation, acquiring new

software or hardware services, or other unforeseen sources. Due to the design of the living

document assessment model, versioning control can be implemented

To control the various version of the documentation, a numbering strategy is used for

maintaining the versioning process. Three decimal versions are used (0.0.0), thus creating A, B,

and C. These columns are used as follows:

• Column A: Major revisions to the assessment model, thus creating the need to

deprecate the previous model.

• Column B: Yearly review and update of the assessment model with reports appended to

the documentation.

• Column C: Each successive implementations with reports appended to the

documentation.

The initial documentation is known as the prototype model and has a versioning number of

0.0.0. Each revision, whether major or minor, needs to be kept for a minimum of five years,

starting at the time of release of the documentation.


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONThird Party Input

During the lifetime of the security assessment model for Innova Corporation, there will

be reports released from vendors and researchers that will need to be addressed and added to

the assessment model for Innova. When this occurs, Innova may choose to address the issue

immediately or wait until the appropriate time. However, this information cannot be ignored

and needs to be compared to the threat matrix of the business. Once assessed against the

matrix, Innova can more easily find the appropriate time scale for addressing the newly release

information.

Staff Education GuidanceA Layered Approach

The staff of Innova Corporation will need education and guidance during the stages of

the security assessment life cycle. Understanding the needs of a fully developed education

model comes from understanding the three tiers of an appropriate education program (Roper,

Grau, & Fischer, 2006). These three tiers are each driven by the needs of the assessment

program and each have clearly defined responsibilities for the individuals that are

implementing them.

Each tier is designed to target a specified sector of the security assessment system with

defined performance objectives. Innova needs to develop content specific to each tier and

define communication channels for information to flow throughout the organization without

hindrance. After the education program has been developed and implemented, this

information will be added to the security assessment as a vector for evaluation to ensure

effectiveness.

When evaluations are undertaken, the results of the observations need to be added to

the comprehensive security assessment system documentation as part of the security baseline.

Ensuring the staff executing the management process is directly correlative with the success of

business security.


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONRequirements Driven

The requirements driven approach to staff education utilizes the business requirements.

This tier of the education model is used to implement policies of protection for the identified

assets. The team implementing this tier has the responsibility to:

Create policy for the assessment system that covers business assets

Maintain the policies created by utilizing the living documentation model

Act as leaders towards the other two tiers

Communicate with all teams involved to ensure all needs are met and

understood

Using this list to hold the Requirements Driven tier accountable will ensure that the

business needs are being achieved. Developing an education platform from the list of questions

enables the business to guarantee the understanding of the employees who will be dedicated

to executing the list.

Means Driven

The means driven approach to staff education focuses on the scheduled operations of

the comprehensive security assessment system. These scheduled operations are:

Implementation of the security assessment policies

Review of the reports generated by the tools utilized during assessment

Mitigation of the vulnerabilities discovered during assessment

Reporting the results to the Requirements Driven tier

Works with a dedicated scheduling process for assessment implementations

Developing an education platform that utilizes the above list will require discussions with

the Requirements team and the vendors of the tools utilized during implementation. The


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONMeans Driven tier has the heaviest burden of technical education and will need to be given the

appropriate amount of time to develop the skills needed for implementation.

Once the Means Driven team has achieved the skills necessary to properly implement the

desired actions of the above list, only then can that team be held responsible for the

completion of their tasks.

Needs Driven

The needs driven approach to staff education creates a team that will respond to high

risk critical situations that need to be handled immediately. This team is a subdivision of the

Means Driven tier and consists of individuals that have the ability to respond under pressure.

The requirements of the Needs Driven tier are:

On call for an immediate response of critical risk mitigation

Works out of band from the Means Driven scheduling

Communicates directly with company stakeholders and Requirements Driven tier

Consist of the leaders of both the Requirements and Means tiers.

Reports are given to the Requirements tier to be placed in the living documentation

This list creates a safety net for the organization in times of critical risk. The training for the

Needs Driven tier utilizes the training from both previous tiers and also includes its own

dedicated training material. The education program for the Needs Driven tier requires a crisis

management training course, which ensures the employees will be able to focus on the

immediate problem, understand the longer term consequences of the decisions that are made

during a time of crisis, and clearly communicate with all necessary parties at the time of crisis.



Creation of Initial Security BaselineInitial Implementation

The initial implementation of the comprehensive security assessment system can be

easily understood by three key practices: 1. following the guidance of practices from the

discussions in previous sections of the documentation, 2. comparing the implementation

testing to identified goal achievement metrics, and 3. comparing the implementation testing to

the desired application of practice from the initial documentation. Areas 2 & 3 described above

have been researched in the COBIT 5 (2012) model from ISACA.

This implementation will create a security baseline for Innova that will be used for

successive implementations. The security baseline is the state of the information network after

the first complete cycle of the security system, including mitigation, as defined by this security

system. The initial mitigation process is critical for ensuring that the company has closed major

security holes and the onboarding process of the security culture has begun to take hold at

Innova Corporation.

Goal Achievement Metrics

The goal achievement metrics for the creation of the initial security baseline are defined

before the baseline is created. These metrics are the definitions of what a successful

implementation involves and are therefore designated by the policies that were created at the

beginning of the security assessment. Goal achievement metrics for the Innova Corporation are

listed as questions and include:

• Did the business fix security issues based upon the guidance of the automated

controls?

• Did the company properly log the policies and results of the security assessment?

• Did the organization create policies that enveloped the entire organization?

• Did Innova place priority on completing the assessment process?


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONAll of these questions can be answered after the initial implementation of the security

assessment model is complete and the questions may be reused, if appropriate, during any

subsequent implementations.

Application of Practice Metrics

The application of practice metrics involved with the creation of the initial security

baseline is also a set of questions that need to be checked against the work complete. In this

case, the metrics are associated with the implementation of the methods used to discover and

mitigate the vulnerabilities on the network. The questions are:

• Did the implementation team use the governance model created by the stakeholders to

create a management model for mitigating those risks?

• Did the employees follow the policies created for implementing the management

strategies?

• Where the reports from the tools reviewed and utilized for mitigating the risks

discovered during the automated scanning practice?

• Where the documents filed in the living documentation of the comprehensive security

assessment system for storage and future review or comparison?

• If any problems were discovered during the security assessment that could not be

properly mitigated, was there a meeting held to discuss other mitigation strategies with

stakeholders or tool vendors?

Once all of the above questions are answered, then Innova has assessed, responded to the

risks associated with their information system, and is in a position to continue to monitor the

network for abnormal activities until the next security event takes place. This is a minimal set of

questions and should be added to during the lifetime of the security assessment system.



Successive ImplementationsThe following categories have been identified to be used with each successive

implementation of the comprehensive security assessment system. The four categories are

based upon the ISO 27001 & 27002 model and NIST 800-30 rev.1. These create a cyclical

approach to security management.

Planning

After the initial implementation of the comprehensive security assessment system,

Innova will need to plan successive implementations. In order to plan those implementations,

Innova will review the previous implementations of the security system and discover the areas

that need to be addressed inside the network.

These areas are based upon the creation of the security baseline and the living

documentation of the security model. The security assessment team will need to set a schedule

of work and base the schedule upon a yearly cycle, unless major changes to the information

system occur in the interim.

Tracking

The tracking of successive implementations will be placed in the living documentation,

noted with the proper implementation label. The tracking utilizes the framework for

documentation created in the comprehensive policy section.

Correcting

In the correction section of successive implementations, the business identifies areas of

mitigation and completes the processes necessary to protect the network. By protecting the

network, it is understood that these goals are based upon the needs of the business in the

planning stage of the successive implementation.



Reporting

The reports from the automated tools and the manual mitigation reports should be

added to the living document of the assessment system. These documents should be reviewed

and compared to the current security baseline to monitor any unwarranted changes. If anything

unusual is noticed during the review of the reporting phase, further investigation in to the

system will be needed and if the anomaly is not comprehensible, then another security

implementation is warranted.



ReferencesCalder, A., & Watkins, S. (2012). IT Governance—An International Guide to Data Security and

ISO27001/ ISO27002 (5th ed.). Philadelphia, PA: Kogan Page.

IBM Corporation. (2013). Responding to and recovering from sophisticated security attacks: The

four things you can do now to help keep your organization safe. Somers, NY: IBM Global

Services.

ISACA. (2012). COBIT 5: A Business Framework for the Governance and Management of

Enterprise IT. Rolling Meadows, IL: ISACA.

ISECOM. (2010). Open Source Security Testing Methodology Manual. Cardedeu, Spain: ISECOM.

National Institute of Standards and Technology. (2010). Guide for Applying the Risk

Management Framework to Federal Information Systems. Gaithersburg, MD: National

Institute of Standards and Technology.

National Institute of Standards and Technology. (2012). Guide for Conducting. Gaithersburg,

MD: National Institute of Standards and Technology.

OISSG. (2004, August 10). Information Systems Security Assessment Framework Draft 1.0.

Retrieved from Sourceforge: http://sourceforge.net/projects/isstf/

OWASP. (2015, August 7). OWASP Proactive Controls. Retrieved from OWASP:

https://www.owasp.org/index.php/OWASP_Proactive_Controls

PCI Security Standards Council, LLC. (April, 2015). Payment Card Industry (PCI) Data Security

Standard Version 3.1. Wakefield, MA: PCI Security Standards Council, LLC.


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONRoper, C., Grau, J., & Fischer, L. (2006). Security Education, Awareness and Training: From

Theory to Practice. Burlington, MA: Elsevier Inc.

Ross, S. (2011). Creating a Culture of Security. Rolling Meadows, IL: ISACA.

SANS Institute. (2015, August 15). Critical Security Controls: Guidelines. Retrieved from SANS:

https://www.sans.org/critical-security-controls/guidelines

Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical Guide to Information

Security Testing and Assessment. Gaithersburg, MD: National Institute of Standards and

Technology.

Tenable Network Security. (2014). Tenable Solutions for the Cyber Hygiene Campaign.

Columbia, MD: Tenable Network Security, Inc.

Xiao, Y. (2014). Vulnerability Assessment for Substation Automation Systems. In Y. Xiao,

Security and Privacy in Smart Grids (p. Chapter 8). Boca Raton, FL: Taylor & Francis

Group, LLC.



Appendix A: RISK ASSESSMENT METHODOLOGY EVALUATION5

The process for periodic risk assessment for information security in the Organization

environment identifies the follow up actions, after the risk assessment has been completed, to

manage the newer risks that have been realized in the environment.

1. Does the risk assessment exercise at minimum include the following?

1.1. Identification of all business critical information assets. (E.g., Data, paper

documents, software, hardware etc.) ?

1.2. Vulnerabilities assessment for the identified assets?

1.3. Identifying the risk scenarios for compromise of the assets via the vulnerabilities

identified?

1.4. Assessing a probability of the risk scenario to come to pass on a rate scale?

1.5. Assessing the impact on the business if the risk scenario were to come to pass?

1.6. Calculating the risk rating by multiplying the probability by the impact?

1.7. Prioritizing the risks based on the risk ratings?

2. Does the Organization conduct a comprehensive organization wide risk assessment

exercise to reassess the threats, vulnerabilities and business impact for information security &

5 See Reference OISSG.


COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATIONis the Chief Information Security Officer (CISO) duly assisted by the respective Information

Security Officers (ISOs) during this periodical risk assessment exercise?

3. Is there a Risk Assessment Template which is used as a general framework for the

conduct of the risk assessment?

4. Is there a risk management plan developed to minimize the exposure of the company to

the high risks that are identified?

5. Are the controls implementation instructions issued on the basis of the risk

management plan, which will clearly identify responsibilities and timelines for implementation?

6. Does the CISO with assistance from the ISOs verify and validate the desired

implementation actions within the stipulated time?

7. Are the details of the risk assessment, risk management plan and implementation will

be preserved for a stipulated period? (3- 5 years)

8. Apart from the yearly risk assessment is a risk assessment carried out whenever there is

a major change to the P&O network and systems such as addition of a new business

application, relocation or redeployment of an existing application system, major changes to

network architecture?


Documents

Introductionneversys.com/wp-content/uploads/2015/08/Deliverable... · Web viewCOBIT 5 PCI v3.1 The following documentation includes: A high level discussion of the assessment model