Info Security Plan

Information Security Plan

Table of Contents

Executive Summary        3

SECURITY CONTROLS DETAILS        4

Inventory of Asset Management        4

Risk Management        4

Identity and Access Management        4

Protecting the Perimeter        5

Opening up the Perimeter with VPN and Wireless        6

Mobile Security        7

Incident Response        7

Business Continuity Management        8

Change Management Controls        8

Measuring Effectiveness        8

DEFINITIONS        9

REFERENCES        10

Executive Summary

The purpose of this security plan is to provide an overview of the security of XXXXX and describe the controls and critical elements in place or planned. This ISP follows guidance contained in the Time-Based Model of Security.

The average time to exploitation on some networks for an unprotected computer is measured in minutes.

Not all attacks are directed at an individual computer. Viruses, for example, are written and directed at the computing community in general. A virus’s purpose is most often not to damage or destroy data, but simply to replicate by attaching itself to files, infecting other computers.

The foundational principles of information security are confidentiality, integrity and availability. Confidentiality is the assurance that only those who are authorized to access data can access it; integrity is the assurance that the data is accurate, and unaltered; and availability is the assurance that the data will be accessible when it is required. The goal of an information security program is insure these three principles.

The risk and severity of a security breach must be identified, and quantified wherever possible. Then, appropriate steps must be taken to reduce the probability of an attack; controls identified to reduce the impact if one should occur; and plans developed to respond to, and recover from, the incident. This process of risk management begins by identifying and valuing the assets to be protected.  Before any measures are considered.

SECURITY CONTROLS DETAILS

1.0 Inventory of Asset Management

• Procedure for identifying assets (Intellectual property, financial information, privacy, regulations of customers partners, employees, etc)
• Assessing the risk and deciding how to respond
• Classification scheme (Teach employees how to recognize the classification categories
• Asset inventory and security impact analysis with data classification
• Process control information
• What is and what is not public knowledge, info not intended to be on public domain and we need to protect and assign a value.
• KPI’s

• Being able to locate assets, track, tag hardware properties, installed software
• Contract and license information in a central location
• Vendor data, lease terms, warranties in a central location
• Identify compliance and security risks by listing all hardware, software, and the software associated with that hardware through a comprehensive, quick- to-retrieve repository

2.0 Risk Management

• Threats: Intentional (sabotage) or unintentional (natural disasters) increase risk
• Vulnerabilities: Software, bugs Increase risk
• Exploits: Methods of attack, increase the risk
• Control: Reduce the risk
• Prioritize risk: Low, Medium, High
• Risk assessment results
• Select the risk response (COBIT APO12): Avoid, Reduce, Share, Accept
• Procedures addressing security assessments
• Security assessment results” Residual risk is always > 0
• COBIT: EDM03 and APO12
• KPI’s

• Service-level agreements
• Risk assessment results
• Risk assessment reviews

3.0 Identity and Access Management

• Who is accessing our system? We want to authenticate
• Authentication enrollment, New Hire data access procedure
• Network diagrams that detail remote access
• Procedure for remote administration and access
• Present credentials: If match GRANT access if not DENIES access.
• Decide what credentials to use:

• Something you know=Password
• Something you have=Card, Token
• Something about you= Biometric

• Review false rejection rate (real person gets rejected) False acceptance rate (Impersonator)
• Goal is to have both as low as possible
• Use multiple credentials: Multifactor (i.e ATM card we have card and know something)
• Make sure that everybody in the system uniquely identified
• Allocated rights from privileges, need to perform job duties not everybody to be a super user
• Limited user credential/ admin super users privileges
• Authorizations controls prevent fraud.  (segregate duties) the buyer should not be the controller.
• Best Practice is Role Base Access Control (RBAC)
• KPI’s

• Password reset volume per month
• Average number of distinct credentials per user
• Number of new accounts provisioned
• Average time it takes to provision a user
• Separation of duty violations

4.0 Protecting the Perimeter

• Layers of defense to protect our network (Time-Based Model)
• Preventive measures, Detective measures, Reactive measures
• Most important preventive layer: Physical access
• Firewalls, Intrusion Detection System, Intrusion Protection Systems
• Perimeter protection devices filter traffic to block attacks.
• Firewall

• Don't block, they filter
• IDS and IPS are an addition layer of protection
• Both IDs and IPS can identify that a scan is in progress
• Both IDS and IPS provide detailed mapping and scanning (tools like nmap or wireshark)

• TCP /IP Model (Seven layers)

• Application
• Presentation
• Sessions
• Transport
• Network
• Data Link
• Physical

• Each layer has a variety of protocols, more important TCP and IP
• TCP breaks files into pieces and reassemble (use port numbers to specify application type)
• IP is what we route from one network to another across the internet (each device has IP address assigned)
• TCP and UDP ports permit multiple simultaneous connections
• Network protocols specify rules for normal behavior and effect on security violations of those rules may disrupt communications
• For filtering to work:

• Set off IF THEN rules called access control List (ACLs)
• THEN part specifies what to do (only two options Permit or Deny)

• In addition filter outbound traffic (prevent exit of confidential information, stop attacks, control employee behavior avoid becoming accomplice to attacks (i.e part of botnet)
• Two basic filtering models

• Packet filter firewall: Inspect the information contained in packet headers
• Application firewalls: inspect the data contained in the packets)

• Another function of firewalls : NAT  Network Address Translation

• All our internal devices cannot route or cannot be reach directly from internet , mostly cost effective we only pay for one routable IP address. Reserve block only for internal use.

• Use Log analysis
• KPI’s

• Protect our network longer than take to detect that something is going on and respond to block it.  
• Number of incident reports
• Number of attacks
• Number of “3 way handshake” violations

5.0 Opening up the Perimeter with VPN and Wireless

• Virtual Private networks  (VPN) encrypt traffic on the internet
• Two purposes of VPN

• To connect two branch offices , in this case we use IPSec (built in authentication and encryption mechanisms)
• Remote access by individuals, working from home or traveling and connecting from hotel,

• Three Types of secure connections:

• IPSec
• SSL Portal
• SSL Tunnel

• Terminating VPN

• Terminate VPN traffic at VPN terminator (decrypted)
• Integrate with firewall (Termination point is firewall)
• Terminate at DMZ (Demilitarized zone) terminator

• Scan and Quarantine
• Prevent remote storage & printing (Comply with HIPPA, SOX, etc)

• Need to configure VPN client to prevent leakage of confidential and private information
• Wireless access creates inherent threats, somebody could “piggy back” and cause interception of messages, modification of messages, interruption of Services (Dos)

• Mitigate with STRONG encryption
• Use advance technology i.e 802.11i
• Hide the signal (hiding does not eliminate encryption)

• Secure wireless access points

•  Set up policies
• Regular audits
• Locate all wireless access points in DMZ.

• Secure wireless clients

• Secure laptops
• Require mutual authentication
• Require use of infrastructure mode
• Prohibit ad hoc mode
• Encrypt all sensitive stored data.

• Wireless also needs IDS and IPS, best solution is two sets of access points,

• Dedicated access points for IDS/IPS
• Other access points for wireless traffic

• Log wireless: Who connected how many times> from where? etc
• KPI’s

• Protect our network longer than take to detect that something is going on and respond to block it.  
• Number of incident reports
• Number of attacks
• Number of “3 way handshake” violations

6.0 Mobile Security

• System use policy
• Procedures addressing media usage restrictions
• Procedures addressing access control for mobile device usage (including restrictions)
• Authorizations for mobile device connections
• Information system audit records
• Documentation of encryption mechanisms
• Procedures addressing media storage
• Logs of media transport
• KPI’s

• Suspicious activity
• Number of scans in progress
• Unauthorized changes (lower is better)
• Change success rate (higher is better)
• Number of delayed project (lower is better)
• Number of unplanned outages (lower is better)

7.0 Incident Response

• A key piece of the Time-Based Model is an effective timely response

• The goal is Reduce time to respond
• This requires training and planning

• Document a plan, more importantly test the plan
• The response plan is not an IT plan, is a Response Team plan and includes all stakeholders for example HR, C-Suite, PR, Legal.
• How easy was the event? What was exposed? How can we make it harder to repeat
• Tape backup process
• KPI’s

• Time IT spend on unplanned changes (lower is better)
• Percent of changes that are ‘emergency”  (lower is better)
• Server-admin Ratio (Higher is better)
• Unauthorized changes (lower is better)
• Change success rate (higher is better)
• Number of delayed project (lower is better)
• Number of unplanned outages (lower is better)

8.0 Business Continuity Management

• Disaster Recovery Plan (DRP)
• Business Continuity Plan (BCP)
• Business Impact Analysis
• BCP and DRP training
• The goal is resilience, But most plan for recovery

• Recovery Time Objective (RTO) “how long can we afford to be down?”
• Recovery Point Objective (RPO) “how much data can we afford to lose?”

• Backup process:

• Incremental
• Differential

• Back up media: Tape or disk?
• Back ups versus Archives
• KPI’s

• Number of unplanned outages (lower is better)

9.0 Change Management Controls

• Reduces time spent on unplanned work (BAI10)

• Increase success rate
• Reduce unauthorized changes
• Reduce Mean Time To Repair (MTTR) by standardizing configurations

• KPI’s

• Percent of changes that are ‘emergency”  (lower is better)
• Unauthorized changes (lower is better)
• Change success rate (higher is better)
• Number of unplanned outages (lower is better)

10.0 Measuring Effectiveness

• Are we doing the right thing?
• Are we doing the right way?
• Are we getting them done well?
• Are we getting the cost benefit?
• Scorecards used to evaluate

• Periodic
• Summarized/aggregate
• Used to evaluate performance
• Can be strategic or tactical level

• Dashboards used to monitor

• Real Time
• Detailed, low level picture
• Used to monitor and intervene timely
• Tactical level

• Lagging Indicators (how we did in the past)
• Leading Indicators (predict future)

• Balance Scorecard

• Multi dimensional
• Multiple measures
• Show trends
• Fits on one page or slide

• When selecting 3rd party, request SOC-2, Type 2 Report
• Resource Responsibility, but not accountability
• KPI’s

• Balance Scorecard

DEFINITIONS

KPI’s – refers to metrics

RBAC- Role Base Access Control (RBAC)

IDS – Intrusion Detection System

...