Planning for & Implementing Security

In today's digital age, the security of sensitive information has become an increasingly critical concern for organizations of all sizes and industries. With the rise of cyber threats such as data breaches, malware attacks, and phishing attempts, implementing robust information security measures has become a top priority for businesses to protect their assets and maintain customer trust. Information security refers to the set of practices, technologies, and policies designed to safeguard the confidentiality, integrity, and availability of information against unauthorized access, use, disclosure, disruption, modification, or destruction. To ensure effective information security, organizations need to adopt a holistic approach that covers not only technical aspects but also human factors and organizational culture. This involves identifying potential risks, defining security objectives, implementing appropriate controls, and regularly monitoring and evaluating the security posture.

Planning for Security

Managing risk, discussed in a previous chapter, is a "complex, multifaceted activity that requires the involvement of the entire organization—from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions." [1]

Organizations plan for information security by following a structured approach that involves several steps. Overall, planning for information security requires a comprehensive and ongoing effort to assess risks, define objectives, develop policies and controls, and continuously monitor and improve security measures.

One element of security planning is contingency planning which includes Incident Response, Disaster Recovery, and Business Continuity plans. The goal of contingency planning is to ensure that an organization can continue to operate in the event of a security incident or disaster. It involves identifying critical systems and data, assessing vulnerabilities, and developing procedures for restoring operations as quickly as possible.

Implementing Security

In order to design and develop controls, organizations often use a high-level approach based called security architecture. Security architecture refers to the design and implementation of security controls and processes to protect an organization's information assets. It is a high-level view of an organization's security requirements, strategies, and structures, which helps to ensure that security measures are aligned with business objectives and risk management needs.

A security architecture may include a range of technical and non-technical controls, such as firewalls, intrusion detection systems, access controls, encryption, authentication, security policies, and incident response plans. These controls are designed to protect information assets from various threats, such as unauthorized access, theft, and data breaches.

Security architecture also takes into account the people, processes, and technology involved in an organization's security measures. It aims to create a security framework that is holistic and integrated, taking into account the interdependencies and interactions between different security controls.

Here are some important security principles that organizations should consider in their information security programs:

1. Defense-in-depth is a security strategy that involves implementing multiple layers of security controls to protect an organization's information assets. The strategy recognizes that no single security control can provide complete protection against all potential threats, and that a combination of controls is necessary to provide effective security.
2. Least privilege is a security principle that involves granting users only the minimum privileges necessary to perform their job functions. This means that users should not have access to resources or information that they do not need to perform their job, and that access should be restricted to only those resources that are required for a user's role or responsibilities.
3. Separation of duties is a security principle that involves dividing responsibilities for a particular task or function among different individuals or groups. The purpose of separation of duties is to reduce the risk of fraud, error, or malicious activity by preventing a single person from having complete control over a process or function.
4. Security perimeter refers to a boundary that separates a trusted, secure internal network or system from an untrusted, external network or system. The perimeter is typically implemented using a combination of physical and technical controls, such as firewalls, intrusion prevention systems, access controls, and other security mechanisms.

Layered Approach

A security program is a set of activities and processes that an organization implements to manage and reduce risk to its information assets. A security program typically includes policies, procedures, and controls to protect the confidentiality, integrity, and availability of information.

A layered approach to security is essential for providing effective protection for an organization's information assets, and organizations should strive to implement controls at each layer to reduce the risk of security incidents and protect against potential threats. There are typically three main layers of information security:

1. Administrative layer: This layer focuses on policies, procedures, and other administrative controls to ensure that information assets are protected. Administrative security controls may include measures such as security awareness training, access control policies, incident response procedures, and security audits and assessments.
2. Technical layer: This layer focuses on protecting the technology assets of an organization, including software, hardware, and data. Technical security controls may include measures such as firewalls, encryption, intrusion detection and prevention systems, antivirus software, and secure coding practices.
3. Physical layer: This layer focuses on protecting the physical assets that make up an organization's information systems, such as data centers, servers, and network devices. Physical security controls may include measures such as access controls, video surveillance, environmental controls, and fire suppression systems.
4. Personnel Layer: This layer focuses on nsuring that employees, contractors, and other personnel who have access to an organization's information and assets are trustworthy and do not pose a security risk.

Policy, standards, and procedures (Administrative)

Policy, standards, and procedures are all important components of an organization's information security program, and each plays a distinct role in defining and implementing security controls.

Policy: An information security policy is a high-level statement that defines the overall goals, objectives, and responsibilities of the organization with respect to information security. The policy outlines the organization's stance on security issues and provides guidance for security-related decision making. Policies are typically broad and general, and are intended to provide a framework for more detailed security controls.

Policy Example: An Acceptable Use Policy (AUP) is a policy that defines how employees or authorized users are allowed to use the organization's computer systems and networks. An AUP typically covers topics such as appropriate use of email, internet access, social media, and other information technology resources. The policy would outline the consequences of violating the AUP, which could include disciplinary action or termination of employment.

Standards: Information security standards are more specific and detailed than policies, and provide a set of technical or procedural requirements that must be met in order to comply with the policy. Standards are designed to be measurable and enforceable, and provide a clear set of guidelines for implementing security controls. Standards may address topics such as access control, encryption, incident response, and vulnerability management.

Standard Example: Organizations often create a password standard that defines requirements for the creation, use, and management of passwords. The standard might require that passwords be a minimum length, include a mix of letters, numbers, and symbols, and be changed regularly. The standard might also require that passwords not be written down or shared with others.

Procedures: Information security procedures are even more specific and detailed than standards, and provide step-by-step instructions for carrying out specific security tasks or activities. Procedures are designed to be highly prescriptive and specific, and provide detailed instructions for implementing security controls. Procedures may address topics such as user account management, patch management, or system hardening.

Procedure Example: Relating to the password standard above, an organization can create a password complexity procedure. Passwords must be at least eight characters in length and include a mix of upper and lowercase letters, numbers, and special characters. Passwords should not contain any easily guessable information, such as birth dates or names of family members. Passwords should not be shared with anyone, including coworkers or supervisors.

Key Technology Components (Technical)

The following technology components are essential to providing effective protection to information resources:

Firewall: A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on an organization's previously established security policies. Firewalls act as a barrier between the organization's internal network and the Internet or other external networks.

IDS (Intrusion Detection System): An IDS is a security technology that monitors network traffic for signs of intrusion or malicious activity. An IDS analyzes network traffic and raises an alert if it detects any activity that violates an organization's security policies.

IPS (Intrusion Prevention System): An IPS is a security technology that works in conjunction with an IDS to actively block or prevent malicious traffic from entering the organization's network. IPS devices sit inline with network traffic and can drop, block or alter network traffic to prevent unauthorized access or attacks.

Proxy Server: A proxy server acts as an intermediary between client devices and servers on the internet. Proxy servers can help organizations protect their network by filtering incoming web traffic to prevent access to known malicious or unauthorized websites, and can also help to mask the organization's internal network structure.

DMZ (Demilitarized Zone): A DMZ is a network segment that is separated from the internal network and exposed to the Internet. The DMZ typically hosts publicly accessible servers such as web servers, email servers, and DNS servers. The DMZ is designed to limit the exposure of the internal network to external threats and provide an additional layer of security between internal resources and external threats.

References

---

[1] NIST Publication 800-39: Managing Information Security Risk
[2] ISO/IEC 27001: Information Security Management System (ISMS)

Personnel Security

Personnel security is a critical component of information security that focuses on ensuring that employees, contractors, and other personnel who have access to an organization's information and assets are trustworthy and do not pose a security risk. Personnel security includes measures such as background checks, security clearances, and security awareness training to minimize the risk of insider threats, such as unauthorized access, data theft, and sabotage. Effective personnel security programs can help organizations to identify and mitigate potential security risks and protect their information and assets from both internal and external threats.

Employees role in information security

Employees play a critical role in information security as they are often the first line of defense against security threats. Some important roles that employees play in information security include:

1. Following security policies and procedures
2. Identifying security threats
3. Participating in security awareness training
4. Keeping software and systems up to date
5. Protecting mobile devices

Security Education, Training, and Awareness (SETA)

Security education, training, and awareness are critical components of an effective information security program. They aim to educate employees on various aspects of information security and their role in protecting the organization's assets and information from potential security threats. The training can be delivered in various formats, such as online courses, classroom sessions, and workshops [3].

The following are some important topics that may be covered in a security awareness training program:

1. Password management: Employees are trained on best practices for creating and managing strong passwords, such as using long, complex passwords and avoiding common words or phrases.
2. Phishing and social engineering: Employees are trained on how to identify and avoid phishing attacks and other social engineering tactics that attackers may use to gain unauthorized access to the organization's systems and information.
3. Mobile device security: Employees are trained on best practices for securing mobile devices such as smartphones and tablets, including the use of strong passwords, encryption, and the importance of not connecting to unsecured public Wi-Fi networks.
4. Physical security: Employees are trained on the importance of physical security measures such as locking their workstations when leaving their desks and reporting any suspicious behavior or unescorted visitors.

Hiring and termination practices

The hiring and termination practices of an organization play a critical role in ensuring the security of its information. It is important to conduct thorough background checks and reference checks on all prospective employees to ensure that they have the necessary qualifications, skills, and character to handle sensitive information. When employees are terminated, it is important to have clear policies and procedures in place for revoking their access to systems and data and ensuring the return of all company property.

Background checks and screening processes

Background checks and screening processes are essential for ensuring that employees do not pose a security risk to the organization. These processes can include criminal background checks, credit checks, and employment history checks. It is important to ensure that all checks are conducted in compliance with applicable laws and regulations.

Non-disclosure agreements (NDAs)

Non-disclosure agreements are legal contracts that prohibit employees from disclosing confidential information to unauthorized parties. NDAs can help protect the organization's intellectual property and sensitive information from unauthorized disclosure. It is important to ensure that all employees who have access to confidential information sign an NDA, and that the agreement is regularly reviewed and updated as necessary.

References

---

[3] NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Physical Security

Physical security is an essential component of any comprehensive information security program. It involves the implementation of physical measures to protect the physical assets of an organization, including its buildings, equipment, and personnel, as well as the data and information that are stored and processed within these assets.

Physical security measures are necessary to prevent unauthorized access, theft, damage, or destruction of critical information assets. Examples of physical security measures include access controls, surveillance systems, environmental controls, and perimeter security.

In the context of information security, physical security measures are particularly important because many of the threats to information security, such as theft of laptops or mobile devices, unauthorized access to servers or data centers, and sabotage or destruction of IT infrastructure, require physical access to the assets. Thus, ensuring the physical security of an organization's assets is an important aspect of protecting its information assets and maintaining the integrity, confidentiality, and availability of its data.

Physical security threats

Physical security threats can be broadly defined as any physical force, event, or circumstance that can cause harm, damage, or disruption to an organization's physical assets, personnel, or information systems. The table below shows some examples of potential physical security threats and their associated vulnerabilities:

Table 9.1: Physical Threats

countermeasures

There are several countermeasures that organizations can implement to protect against physical security threats. In general, these countermeasures can be grouped into three categories:

1. Physical measures: refer to the use of physical objects like barriers, access controls, and other security devices to prevent or deter unauthorized access, theft, sabotage, or other physical security threats. Physical measures can include things like locks, fences, gates, alarms, surveillance cameras, and security guards.
2. Technical measures: refer to the use of technology to enforce security policies, prevent unauthorized access, and protect information and systems from security threats. Technical controls provide automated and continuous protection against security threats, and include biometric access control, intrusion detection systems, etc.
3. Operational measures: refer to the policies and procedures set up to enforce a secure physical environment, and include background checks, risk assessment, training and awareness, etc.

Common Countermeasures

Some of the most common countermeasures include [4]:

1. Access controls: refer to the use of physical access controls such as locks, access cards, and biometric authentication to limit physical access to facilities, equipment, and data.
2. Security personnel: refer to the use of security guards, monitoring systems, and surveillance cameras to deter and detect unauthorized access and activities.
3. Intrusion detection systems: refer to the use of alarm systems to detect and alert staff and security personnel in case of unauthorized access, theft, or other suspicious activities.
4. Environmental controls: refer to the use of environmental controls such as temperature and humidity controls, water detectors, and fire suppression systems to mitigate potential damage from natural disasters or other environmental hazards.
5. Asset tracking and inventory management: Use of tools and processes to track and manage the location, status, and use of physical assets such as equipment, devices, and media.
6. Employee training and awareness: Providing regular training and awareness programs for employees to educate them on physical security risks, policies, and best practices.

Deterrents

Deterrents are special measures that are designed to discourage potential attackers or intruders from attempting to breach a facility or gain unauthorized access to sensitive information. Deterrents can include visible security measures such as security cameras, warning signs, security guards, and other physical security measures [5].

Deterrents work by increasing the perceived risk to potential attackers or intruders, making it less likely that they will attempt to breach the facility or access sensitive information. The presence of deterrents can also provide a sense of security to employees and customers, which can help to maintain a positive work environment and protect the reputation of the organization.

However, it's important to note that deterrents alone are not sufficient to provide complete physical security. Deterrents should be used in conjunction with other physical security measures, such as access controls, perimeter security, and surveillance, to provide a comprehensive and layered approach to security.

The figure below shows the application of the Defense-in-Depth principle on physical security:

Physical Security Policy

An organization must put in place a Physical Security Policy to protect its physical assets and ensure the safety and security of its employees, customers, and visitors. A well-designed physical security policy addresses the risks and vulnerabilities associated with the physical environment and provides a comprehensive framework for managing and mitigating those risks.

The physical security policy typically covers a wide range of topics, including access control, perimeter security, visitor management, emergency response, incident management, document disposal, and mandatory training. It sets out the rules and procedures for accessing and securing physical assets, such as buildings, equipment, and data storage facilities, and identifies the roles and responsibilities of employees, contractors, and other authorized personnel.

References

---

[4] NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security
[5] The Crime Prevention Through Environmental Design (CPTED) approach

case study
The Insider Threat
Problem

An organization has identified that an employee has recently started acting suspiciously. This employee has access to sensitive data and the organization is concerned about the potential for an insider threat. The organization is unsure of what steps to take to mitigate the risk.

Solution

To mitigate the potential risk of an insider threat, the organization should implement a personnel security program. This program should include measures to prevent, detect, and respond to insider threats, such as background checks, security awareness training, access controls, monitoring, and incident response procedures.

Results

By implementing a personnel security program, the organization was able to detect and prevent the insider threat. The suspicious employee was identified as a potential threat through their behavior and the organization was able to take appropriate action to mitigate the risk.

Case Study Questions

Attempt to answer the following questions before revealing the model answers:

1. What is an insider threat?
2. What is a personnel security program?
3. What are some examples of insider threats?
4. How can an organization identify potential insider threats?
5. What are some potential consequences of an insider threat?

Show Model Answers

Practical Assignment
Physical Security Assessment
Introduction

ISO 27001 is a widely recognized international standard that provides a framework for information security management systems (ISMS). The standard specifies a set of guidelines and controls that organizations should follow to ensure the confidentiality, integrity, and availability of their information assets.

Regarding physical security, ISO 27001 specifies a number of guidelines, controls, and other specifics. These include:

1. Physical access control: ISO 27001 requires that physical access to the organization's premises, equipment, and other assets be controlled and restricted. This can be achieved through the use of physical access controls such as card readers, biometric readers, and other mechanisms.
2. Scope
3. Asset protection: ISO 27001 requires that the organization protect its assets from damage, theft, or loss. This can be achieved through the use of security measures such as locks, security cameras, and alarm systems.
4. Equipment security: ISO 27001 requires that the organization secure its equipment, such as servers, routers, and other networking devices. This can be achieved through the use of physical security measures such as locked server rooms, secure cabinets, and cable locks.
5. Security perimeters: ISO 27001 requires that the organization establish security perimeters to protect its assets from unauthorized access or attack. This can be achieved through the use of physical barriers such as walls, fences, and other security measures.
6. Emergency response: ISO 27001 requires that the organization have an emergency response plan in place in case of physical security incidents. This plan should outline the steps to be taken in case of emergencies such as fires, floods, or other natural disasters.
7. Physical security audits: ISO 27001 requires that the organization regularly audit its physical security measures to ensure they are effective and up-to-date. This can be achieved through the use of physical security audits that assess the organization's physical security controls, policies, and procedures.

Instructions

1. Choose an organization, preferably one that deals with sensitive information or assets that require protection.
.
2. Conduct a physical security assessment based on ISO 27001 standards.
3. Identify and document potential vulnerabilities and risks.
4. Develop a comprehensive report detailing the results of the assessment.
5. Suggest recommendations for improving the physical security measures of the organization.
6. Prepare a presentation to present the report and recommendations to the organization's management.

Report Format

1. Executive Summary
2. Introduction and Background
3. Scope of the Physical Security Assessment
4. Methodology
5. Findings
6. Recommendations
7. Conclusion
8. References

Assessment Criteria

The students will be evaluated on their ability to perform a physical security assessment based on ISO 27001, identify potential vulnerabilities and risks, and provide recommendations for improvement. The evaluation will also take into account the quality of the report and presentation, including the clarity and organization of the material presented.