AU8435_C000.fm Page i Monday, September 25, 2006 2:25 PM IT Security Governance Guidebook with Security Program Metrics on CD-ROM © 2006 by Fred Cohen AU8435_C000.fm Page ii Monday, September 25, 2006 2:25 PM OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Assessing and Managing Security Risk in IT Information Security Management Handbook, Fifth Systems: A Structured Methodology Edition, Volume 2 John McCumber Harold F Tipton; Micki Krause ISBN: 0-8493-2232-4 ISBN: 0-8493-3210-9 Audit and Trace Log Management: Consolidation Information Security Management Handbook, Fifth and Analysis Edition, Volume 3 Phillip Q Maier Harold F Tipton; Micki Krause ISBN: 0-8493-2725-3 ISBN: 0-8493-9561-5 Building and Implementing Security Certification Information Security Policies and Procedures: and Accreditation Program A Practitioner's Reference, Second Edition Patrick D Howard Thomas R Peltier ISBN: 0-8493-2062-3 ISBN: 0-8493-1958-7 The CISO Handbook: A Practical Guide to Securing Information Security Risk Analysis, Second Edition Your Company Thomas R Peltier Michael Gentile; Ronald D Collette; Thomas D August ISBN: 0-8493-3346-6 ISBN: 0-8493-1952-8 Information Technology Control and Audit, The Complete Guide for CPP Examination Second Edition Preparation Frederick Gallegos; Daniel P Manson; James P Muuss; David Rabern Sandra Senft; Carol Gonzales ISBN: 0-8493-2896-9 ISBN: 0-8493-2032-1 Curing the Patch Management Headache Intelligence Support Systems: Technologies Felicia M Nicastro for Lawful Intercepts ISBN: 0-8493-2854-3 Kornel Terplan; Paul Hoffmann ISBN: 0-8493-2855-1 Cyber Crime Investigator's Field Guide, Second Edition Managing an Information Security and Privacy Bruce Middleton Awareness and Training Program ISBN: 0-8493-2768-7 Rebecca Herold ISBN: 0-8493-2963-9 Database and Applications Security: Integrating Information Security and Data Management Network Security Technologies, Second Edition Bhavani Thuraisingham Kwok T Fung ISBN: 0-8493-2224-3 ISBN: 0-8493-3027-0 The Ethical Hack: A Framework for Business Value The Practical Guide to HIPAA Privacy and Penetration Testing Security Compliance James S Tiller Kevin Beaver; Rebecca Herold ISBN: 0-8493-1609-X ISBN: 0-8493-1953-6 Guide to Optimal Operational Risk and Basel II A Practical Guide to Security Assessments Ioannis S Akkizidis; Vivianne Bouchereau Sudhanshu Kairab ISBN: 0-8493-3813-1 ISBN: 0-8493-1706-1 The Hacker's Handbook: The Strategy Behind The Security Risk Assessment Handbook: Breaking into and Defending Networks A Complete Guide for Performing Security Susan Young; Dave Aitel Risk Assessments ISBN: 0-8493-0888-7 Douglas J Landoll ISBN: 0-8493-2998-1 The HIPAA Program Reference Handbook Ross Leo Strategic Information Security ISBN: 0-8493-2211-1 John Wylder ISBN: 0-8493-2041-0 Information Security Architecture: An Integrated Approach to Security in the Organization, Surviving Security: How to Integrate People, Second Edition Process, and Technology, Second Edition Jan Killmeyer Tudor Amanda Andress ISBN: 0-8493-1549-2 ISBN: 0-8493-2042-9 Information Security Fundamentals Wireless Security Handbook Thomas R Peltier; Justin Peltier; John A Blackley Aaron E Earle ISBN: 0-8493-1957-9 ISBN: 0-8493-3378-4 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] © 2006 by Fred Cohen AU8435_C000.fm Page iii Monday, September 25, 2006 2:25 PM IT Security Governance Guidebook with Security Program Metrics on CD-ROM FRED COHEN Boca Raton New York Auerbach Publications is an imprint of the Taylor & Francis Group, an informa business © 2006 by Fred Cohen CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Fred Cohen CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20131021 International Standard Book Number-13: 978-0-8493-8436-3 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid- ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti- lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy- ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http:// www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com © 2006 by Fred Cohen AU8435_bookTOC.fm Page v Monday, September 25, 2006 2:41 PM Table of Contents Executive Summary...........................................................................xi About This Material..........................................................................xii Chapter 1 The Structure of Information Protection....................1 1.1 A Comprehensive Information Protection Program................1 1.1.1 The Architectural Model...............................................1 1.1.2 Risk Management..........................................................3 1.1.3 How the Business Works.............................................5 1.1.4 How Information Technology Protection Works.......7 1.1.5 Interdependencies.........................................................8 1.1.6 But How Much Is Enough? The Duty to Protect.......8 1.2 What Is Information Protection Governance All About?........8 1.2.1 The Goal of Governance.............................................8 1.2.2 What Are the Aspects of Governance?.....................10 1.2.2.1 Structures....................................................10 1.2.2.2 What Are the Rules?..................................11 1.2.2.3 Principles and Standards...........................12 1.2.2.4 Power and Influence.................................13 1.2.2.5 Funding.......................................................15 1.2.2.6 Enforcement Mechanisms .........................17 1.2.2.7 Appeals Processes and Disputes..............20 1.2.3 The Overall Control System.......................................21 1.3 Fitting Protection into Business Structures.............................22 1.3.1 Fitting In......................................................................23 1.3.2 The Theory of Groups...............................................23 1.3.3 What Groups Are Needed .........................................24 1.4 Who Is in Charge and Who Does This Person Work for?...25 1.4.1 The CISO.....................................................................25 1.4.2 The CISO’s Team .......................................................25 v © 2006 by Fred Cohen AU8435_bookTOC.fm Page vi Monday, September 25, 2006 2:41 PM vi It Security Governance Guidebook 1.4.3 The Structure of the Groups......................................27 1.4.4 Meetings and Groups the CISO Chairs or Operates.......................................................................28 1.4.5 Should the CISO Work for the CIO or Others?.......28 1.5 Should the CISO, CPO, CSO, or Others Be Combined?.......30 1.5.1 Where Should the CISO Be in the Corporate Structure?......................................................................31 1.6 Budgets and Situations.............................................................31 1.6.1 Direct Budget for the CISO.......................................31 1.6.2 Identifiable Costs.........................................................31 1.7 Enforcement and Appeals Processes......................................34 1.7.1 Top Management Buy-In and Support.....................34 1.7.2 Power and Influence and Managing Change...........34 1.7.3 Responses to Power and Influence...........................35 1.7.4 Other Power Issues....................................................35 1.8 The Control System..................................................................36 1.8.1 Metrics..........................................................................37 1.8.1.1 Costs...........................................................37 1.8.1.2 Performance...............................................37 1.8.1.3 Time............................................................38 1.8.1.4 Lower-Level Metrics...................................38 1.9 How Long Will It Take?.........................................................39 1.10 Summary..................................................................................41 Chapter 2 Drill-Down..................................................................43 2.1 How the Business Works.........................................................44 2.2 The Security Oversight Function.............................................46 2.2.1 Duty to Protect............................................................47 2.2.1.1 Externally Imposed Duties........................47 2.2.1.2 Internally Imposed Duties........................47 2.2.1.3 Contractual Duties.....................................48 2.3 Risk Management and What to Protect..................................48 2.3.1 Risk Evaluation............................................................48 2.3.1.1 Consequences............................................48 2.3.1.2 Threats........................................................49 2.3.1.3 Vulnerabilities.............................................49 2.3.1.4 Interdependencies and Risk Aggregations...............................................50 2.3.2 Risk Treatment ........................................................... 52 2.3.2.1 Risk Acceptance.........................................52 2.3.2.2 Risk Avoidance ......................................... 52 2.3.2.3 Risk Transfer............................................. 52 2.3.2.4 Risk Mitigation...........................................52 2.3.3 What to Protect and How Well.................................53 © 2006 by Fred Cohen AU8435_bookTOC.fm Page vii Monday, September 25, 2006 2:41 PM vii 2.3.4 The Risk Management Space.....................................53 2.3.4.1 Risk Assessment Methodologies and Limitations..................................................54 2.3.4.2 Matching Surety to Risk............................55 2.3.5 Enterprise Risk Management Process: An Example.................................................................58 2.3.5.1 The Risk Management Process.................59 2.3.5.2 Evaluation Processes to Be Used.............60 2.3.5.3 The Order of Analysis...............................61 2.3.5.4 Selection of Mitigation Approach.............62 2.3.5.5 Specific Mitigations....................................63 2.3.5.6 Specific Issues Mandated by Policy.........63 2.3.5.7 A Schedule of Risk Management Activities ....................................................63 2.3.5.8 Initial Conditions........................................64 2.3.5.9 Management’s Role....................................64 2.3.5.10 Reviews to Be Conducted....................... 65 2.3.6 Threat Assessment.......................................................65 2.3.7 Fulfilling the Duties to Protect..................................66 2.4 Security Governance................................................................69 2.4.1 Responsibilities at Organizational Levels................. 69 2.4.2 Enterprise Security Management Architecture..........70 2.4.3 Groups That CISO Meets with or Creates and Chairs...........................................................................72 2.4.3.1 Top-Level Governance Board...................72 2.4.3.2 Business Unit Governance Boards...........72 2.4.3.3 Policy, Standards, and Procedures Group and Review Board.........................73 2.4.3.4 Legal Group and Review Board.............. 74 2.4.3.5 Personnel Security Group and Review Board.............................................74 2.4.3.6 Risk Management Group .........................75 2.4.3.7 Protection Testing and Change Control Group and Review Board...........75 2.4.3.8 Technical Safeguards Group and Review Board.............................................76 2.4.3.9 Zoning Boards and Similar Governance Entities...................................77 2.4.3.10 Physical Security Group and Review Board.............................................77 2.4.3.11 Incident Handling Group and Review Board.............................................78 2.4.3.12 Audit Group and Review Board..............79 © 2006 by Fred Cohen AU8435_bookTOC.fm Page viii Monday, September 25, 2006 2:41 PM viii It Security Governance Guidebook 2.4.3.13 Awareness and Knowledge Group and Review Board.....................................80 2.4.3.14 Documentation Group..............................81 2.4.4 Issues Relating to Separation of Duties....................81 2.4.5 Understanding and Applying Power and Influence......................................................................81 2.4.5.1 Physical Power...........................................81 2.4.5.2 Resource Power.........................................82 2.4.5.3 Positional Power........................................82 2.4.5.4 Expertise, Personal, and Emotional Power..........................................................83 2.4.5.5 Persuasion Model ......................................84 2.4.5.6 Managing Change......................................85 2.4.6 Organizational Perspectives .......................................91 2.4.6.1 Management...............................................91 2.4.6.2 Policy..........................................................92 2.4.6.3 Standards....................................................93 2.4.6.4 Procedures..................................................95 2.4.6.5 Documentation...........................................96 2.4.6.6 Auditing......................................................97 2.4.6.7 Testing and Change Control.....................97 2.4.6.8 Technical Safeguards: Information Technology.................................................98 2.4.6.9 Personnel..................................................101 2.4.6.10 Incident Handling....................................102 2.4.6.11 Legal Issues..............................................104 2.4.6.12 Physical Security......................................105 2.4.6.13 Knowledge...............................................107 2.4.6.14 Awareness.................................................108 2.4.6.15 Organization.............................................110 2.4.6.16 Summary of Perspectives........................111 2.5 Control Architecture...............................................................111 2.5.1 Protection Objectives................................................111 2.5.1.1 Integrity....................................................112 2.5.1.2 Availability................................................113 2.5.1.3 Confidentiality..........................................113 2.5.1.4 Use Control..............................................115 2.5.1.5 Accountability...........................................116 2.5.2 Access Control Architecture.....................................118 2.5.3 Technical Architecture Functional Units and Composites................................................................118 2.5.4 Perimeter Architectures.............................................118 2.5.4.1 Physical Perimeter Architecture..............119 © 2006 by Fred Cohen AU8435_bookTOC.fm Page ix Monday, September 25, 2006 2:41 PM ix 2.5.4.2 Logical Perimeter Architecture................122 2.5.4.3 Perimeter Summary.................................124 2.5.5 Access Process Architecture.....................................124 2.5.5.1 Identification............................................124 2.5.5.2 Authentication..........................................125 2.5.5.3 Authorization............................................125 2.5.5.4 Use............................................................126 2.5.6 Change Control Architecture....................................126 2.5.6.1 Research and Development....................126 2.5.6.2 Change Control........................................127 2.5.6.3 Production................................................127 2.6 Technical Security Architecture.............................................127 2.6.1 Issues of Context......................................................127 2.6.1.1 Time (“When”).........................................127 2.6.1.2 Location (“Where”)..................................128 2.6.1.3 Purpose (“Why”)......................................129 2.6.1.4 Behaviors (“What”)..................................130 2.6.1.5 Identity (“Who”).......................................130 2.6.1.6 Method (“How”)......................................131 2.6.2 Life Cycles.................................................................132 2.6.2.1 Business....................................................132 2.6.2.2 People.......................................................134 2.6.2.3 Systems.....................................................138 2.6.2.4 Data...........................................................141 2.6.3 Protection Process: Data State.................................146 2.6.3.1 Data at Rest..............................................147 2.6.3.2 Data in Motion.........................................152 2.6.3.3 Data in Use..............................................154 2.6.4 Protection Process: Attack and Defense.................155 2.6.4.1 Deter.........................................................156 2.6.4.2 Prevent......................................................157 2.6.4.3 Detect........................................................159 2.6.4.4 React.........................................................163 2.6.4.5 Adapt........................................................165 2.6.4.6 Detect/React Loop...................................167 2.6.5 Protection Process: Work Flows..............................168 2.6.5.1 Work to Be Done....................................169 2.6.5.2 Process for Completion and Options....169 2.6.5.3 Control Points and Approval Requirements............................................170 2.6.5.4 Appeals Processes and Escalations........170 2.6.5.5 Authentication Requirements and Mechanisms..............................................170 © 2006 by Fred Cohen AU8435_bookTOC.fm Page x Monday, September 25, 2006 2:41 PM x It Security Governance Guidebook 2.6.5.6 Authorization and Context Limitations..171 2.6.5.7 Work Flow Documentation and Audit...171 2.6.5.8 Control and Validation of the Engine(s)..................................................171 2.6.5.9 Risk Aggregation in the Engine(s).........172 2.6.6 Protective Mechanisms.............................................172 2.6.6.1 Perception................................................172 2.6.6.2 Structure ...................................................173 2.6.6.3 Content Controls......................................175 2.6.6.4 Behavior...................................................176 2.7 Roll-Up of the Drill-Down.....................................................178 Chapter 3 Summary and Conclusions.......................................181 Index..............................................................................................183 © 2006 by Fred Cohen