Handbook of Information Security Management:Communications Security

Previous Table of Contents Next


METHOD OF ANALYSIS

Analysis methodologies may range from informal reviews of small office automation installations through formal risk assessments at major data centers. An informal security review can be used for systems with low-level risk designations. Formal security assessments should be required for high-level risk environments. Below is a further discussion of levels of protection.

Automated Risk Assessment

There are a considerable number of automated risk assessment packages, of varying capabilities and costs, available in the marketplace. These automated packages address large and medium facilities, applications, office automation, and LAN/WAN environments. Several packages contain general analyses of network vulnerabilities applicable to LANs. These packages have been found to have adequate coverage of LAN administration, protection of file servers, and PC/LAN backup practices and procedures.

Questionnaires and Checklists

The key to good security management is measurement — knowing where one is in relation to what needs to be done. Questionnaires are one way to gather relevant information from the user community. A PC/LAN questionnaire can be a simple, quick, and effective tool to support informal and formal risk assessments. For small, informal risk assessments, the PC/LAN questionnaire can be the main assessment tool. A checklist is another valuable tool for helping to evaluate the status of security.

A customized version of an automated questionnaire and assessment can be developed by security consultants as well. With this approach, the user is prompted to respond to a series of PC and LAN questions which are tailored online to the user’s environment, and then provides recommendations to improve the user’s security practices and safeguards. Typically designed for the average PC user, this approach functions as a risk assessment tool. A questionnaire/checklist may be a useful first step in determining if a more formal/extensive risk assessment needs to be done, as well as to guide the direction of the risk assessment.

LAN/WAN SECURITY IMPLEMENTATION

This section provides a step by step approach for implementing cost-effective LAN/WAN security. A simple example is used to illustrate this approach. The steps performed in the implementation process include determining and reviewing responsibilities, determining required procedures, determining security level requirements, and determining detailed security procedures.

Determine/Review Responsibilities

The first step in LAN/WAN security implementation is to know who is responsible for doing what. LAN/WAN security is a complex undertaking, requiring an integrated team effort. Responsibilities must be defined for managers of facilities, information technology operations personnel, and managers of application systems which run on LANs.

In addition, every area network should require a LAN/WAN administrator and an information systems security officer whose specific duties include the implementation of appropriate general, technical (e.g., access controls and Internetwork security), and operational controls (e.g., backups and contingency planning). In general, the security officer is responsible for the development and coordination of LAN and WAN security requirements, including the “Computer Systems Security Plan”. The LAN/WAN administrator is responsible for the proper implementation and operation of security features on the LAN/WAN.

Determine Required Procedures

The second step is to understand the type and relative importance of protection needed for a LAN. As stated above, a LAN may need protection for reasons of confidentiality, integrity, and availability. For each of the three categories there are three subcategories to determine the level of security needed: High, Medium, or Low. A matrix approach can be used to document the conclusions for needed security. This involves ranking the security objectives for the LAN being reviewed, using the following simple matrix.

Typical Security Matrix
Security Objectives Level of Protection Needed
High (Level 3) Medium (Level 2) Low (Level 1)
Confidentiality      
Integrity      
Availability      
Overall      

The result is an overall security designation of low (Level 1), medium (Level 2), or high (Level 3). In all instances, the security level designation of a LAN should be equal to or higher than the highest security level designation of any data it processes or systems it runs. This security level designation determines the minimum security safeguards required to protect sensitive data files and to ensure the operational continuity of critical processing capabilities.

This matrix analysis approach to documenting security designations can be expanded and refined into more complex models with security objective subcategories and possibly the use of weighted value assignments for categories. Most automated packages are based on more complex measurement models.

Determine Security Level Requirements

Once the level of protection has been determined, the next step is to determine the security level requirements. Using the simple model that has been created to illustrate this approach, the following is a suggested definition of the minimum security requirements for each level of protection.

Level 1 Requirements

The suggested controls required to adequately safeguard a Level 1 system are considered good management practices. These include, but are not limited, to the following.

1.  Information systems security awareness and training.
2.  Position sensitivity designations.
3.  Physical access controls.
4.  A complete set of information systems and operations documentation.

Level 2 Requirements

The suggested controls required to adequately safeguard a Level 2 system include all of the requirements for Level 1, plus the following requirements.

1.  A detailed risk management program.
2.  Record retention procedures.
3.  A list of authorized users.
4.  Security review and certification procedures.
5.  Clearance (i.e., appropriate background checks) for persons in sensitive positions.
6.  A detailed fire/catastrophe plan.
7.  A formal written contingency plan.
8.  A formal risk analysis.
9.  An automated audit trail.
10.  Authorized access and control procedures.
11.  Secure physical transportation procedures.
12.  Secure telecommunications.
13.  An emergency power program.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.