Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generated from Enterprise Security Architecture.pdf Automatically

1. The Meaning of Security

1.1. The Cultural Legacy: Business Prevention

  • Security has a bad reputation for getting in the way of real business
  • This reputation has developed because of the way security professionals have practised
  • We need an accurate definition of what we mean by ‘security’
  • A technical definition of security may not be helpful
  • Security can be defined only relative to the value and risk propositions of the business

1.2. Measuring and Prioritising Business Risk

  • Risk is a combination of asset value, business impact, threat and vulnerability
  • Risk management is a combination of risk assessment and ‘risk mitigation’
  • The main objective is to prioritise risks so as to make wise control decisions
  • Control objectives are the abstract statement of business needs
  • Enablement objectives are another type of abstract statement of business need
  • Enablement is often the flip side of control
  • Security should be business risk-driven

1.3. Information Security as the Enabler of Business

  • Security professionals would like to have a positive reputation with their business colleagues
  • Your good reputation will depend upon your abilities to serve the business well
  • New technologies are impacting the way that business is being done
  • The effect is to migrate the point of sale and the point of delivery right into the customer’s premises
  • Business-to-business is where most of the initial growth is seen in digital business
  • Lack of customer confidence is an obstacle to digital business and eBusiness development
  • On-line banking security breaches are very damaging to reputations
  • Public relations management is just as important as technical expertise in the protection of reputation
  • Scaling and capacity planning are critical issues with respect to service availability
  • Electronic government will only succeed if the citizens can have confidence in the correct operation of the systems
  • Systems integration is a major challenge in the delivery of legacy back-end services through new frontend portals
  • The current environment is a huge opportunity for security professionals to excel
  • Technology alone is not enough to produce effective security

1.4. Adding Value to the Core Product

  • There are different issues for retail business and corporate business
  • ICT is impacting on traditional bricks-and-mortar companies in several ways
  • Most traditional industries have similar experiences
  • Customer confidence in safety-critical systems is created and maintained through a comprehensive assurance programme
  • New ways of working enabled by new technology have a significant impact on customer expectations
  • Customer decisions are affected by perceptions of service

1.5. Empowering the Customers

  • Customer empowerment means giving the customer choices
  • Understanding the concept of customer service is critical to business success in the new economy
  • Information security practices can deeply affect perceptions of customer service
  • Service quality and information security are closely linked

1.6. Protecting Relationships and Leveraging Trust

  • Business relationships are based upon trust
  • Trust is a business relationship attribute, not a technical attribute
  • Technical systems need to protect the trust that exists in a relationship
  • If you trust the source of an information service, you must also be sure that you are talking to the authentic trusted party and not to an impostor
  • Trusted third parties act as intermediaries to introduce business partners to one another
  • Business relationships are formed in similar ways to social relationships
  • Business relationships are driven by human factors, not by technology
  • Mutual trust is essential, and must be protected by technical systems

2. The Meaning of Architecture

2.1. The Origins of Architecture

  • Architecture is best understood in the context of buildings
  • Architecture fulfils the needs of those who experience it
  • The needs that architecture must fulfil are very diverse
  • Goals, environment, materials and skill are key drivers of architecture
  • The Sydney Opera House could not have been built in piecemeal fashion

2.2. Managing Complexity

  • A major function of architecture as a tool is to manage complexity in large projects
  • Architecture also acts as a road map for a collection of smaller projects that must be integrated into a single homogenous whole
  • Architecture provides a framework within which many members of a large design team can work harmoniously
  • This is achieved through layering techniques and through modularization

2.3. Information Systems Architecture

  • Architecture has been adapted to other spheres of creativity
  • Information systems architecture addresses the creation of business computing systems
  • Information systems architecture has influences similar to buildings architecture
  • Architecture addresses a wide range of issues beyond the technical domain
  • An inadequate understanding of architecture can lead to failure to deliver business value
  • This book addresses the wider issues, not just the technical dimension
  • Business systems architecture is the highest-level framework
  • Business architecture is the primary component
  • Information architecture is an abstract representation of the business
  • Information architecture is the framework for business information management
  • It describes information types and their behaviour
  • The applications architecture supports the information architecture
  • Applications represent and support real business processes
  • Modern applications architectures are likely to exhibit certain common properties
  • Applications architecture enables business flexibility
  • Infrastructure is the logical and physical medium for supporting applications
  • Infrastructure architecture is highly technical
  • Risk management architecture cuts across all others
  • Risk management architecture is pervasive
  • Management and governance architecture is all-pervasive
  • It describes how the management team controls the business
  • Management and governance architecture describes levels of authority and decision making
  • Definition of information systems architecture
  • Infrastructure is a multi-layered technical architecture
  • Service integration is middleware plus data management plus common services
  • Data processing means ‘platforms’; Information transfer means ‘network’
  • There are three pervasive service types
  • ‘Operational services’ means people and the tasks that they perform

2.4. Enterprise Security Architecture

  • Many organisations have a long history of piecemeal implementations of security
  • The total cost of ownership of multiple systems is often driven by the complexity of the diverse user authentication methods in use
  • True architecture never happens by accident
  • Enterprise security architecture is the solution to the business problems of piecemeal development
  • Business strategy for security is closely linked to operational risk management goals
  • The SABSA®model is used in this book as the framework for developing an enterprise security architecture
  • Everything in a security architecture must be a reflection of business requirements
  • The model is generic and defines a process for architecture development — each solution will be unique to the individual business

2.5. Why Architectures Sometimes Fail to Deliver Benefit – and How to Avoid that Fate

  • George Santayana
  • The piecemeal approach to security is commonly found
  • Far from rendering business benefits, this leads to business problems
  • Good security is business-led and business-serving
  • Information security is only one part of the business assurance picture
  • Availability, integrity, authenticity, confidentiality, accountability, auditability
  • Security has to be balanced against other requirements
  • Requirements often pull in conflicting directions
  • Some requirements are specific to the business of the enterprise
  • Security architecture must address the wider range of requirements
  • Failure to address the wider range of issues is common
  • Successful architecture is business-focused
  • Success as an architect requires strength of character and good communications skills
  • Senior management buy-in and support is a critical success factor
  • Geoff Rob’s Ten Rules for the Solution Architect

2.6. Security Architecture Needs a Holistic Approach

  • Security can be analogous with a chain — one link breaks, the chain is broken
  • Complex systems have a holistic design quality and are not described by checklists alone
  • Complex system example
  • Checklists often miss out key questions
  • You need a holistic approach

3. Security Architecture Model

3.1. The SABSA® Model

  • Continuing with the analogy of building architecture
  • The architecture model used in this book has six layers
  • The layers can also be arranged so that Operational Security Architecture is a vertical bar
  • Kipling’s poem provides six key questions
  • Before an architect can begin work the business owner has to specify what sort of building is needed
  • Five more key questions
  • what
  • Understanding requirements is a prerequisite to effective design
  • We take a similar approach in developing an architecture for a secure information system
  • By asking these questions you establish the business requirements
  • The result is the contextual security architecture
  • contextual security architecture
  • Shortcuts that omit this step are likely to result in failure to meet business needs
  • Technologists are traditionally not good at listening to the business owners and users
  • It is not uncommon for an information systems group to have a poor relationship with business colleagues
  • Following through all the layers in the architectural model is essential to success
  • Each layer is also analysed vertically using six key questions

3.2. The Architect’s View

  • An architect is a visionary who creates the concept of how the system will be built, and sets the design rules
  • The architect’s view is the conceptual security architecture
  • concept
  • Once again one needs to ask the six key questions for the vertical analysis
  • What? — Business Attributes
  • Why? — Control Objectives – the motivation for security
  • How? — Major security strategies and layering principles
  • Who? — The security entities and their trust relationships
  • Where? — The security domain model
  • When? — The time dependence of security

3.3. The Designer’s View

  • The designer must realise the architect’s vision as a meaningful design
  • The process is known as ‘systems engineering’
  • system
  • The result is the logical security architecture
  • As for the other layers, six key questions reveal the vertical analysis

3.4. The Builder’s View

  • The builder constructs the physical system
  • This view is called the ‘physical security architecture’
  • The six key questions again

3.5. The Tradesman’s View

  • The construction process needs a range of different skills and component parts
  • Construction requires the integration of many components
  • The component security architecture
  • Once again the six key questions

3.6. The Facilities Manager’s View

  • The facilities manager runs the building in its operational lifetime
  • The operational security architecture
  • Operational security architecture cuts across the other layers

3.7. The Inspector’s View

  • Providing assurance through audit and inspection
  • An integral part of the operational security architecture

3.8. The SABSA® Matrix

  • The six key questions that have been asked at every layer to provide a vertical analysis
  • The overall framework is the 36-cel1 (6×6) SABSA®Matrix

3.9. Detailed SABSA® Matrix for the Operational Layer

  • The operational layer also maps over the other five layers

4. Case Study

4.1. Intergalactic Banking and Financial Services Inc

4.2. Interviews at IBFS

  • years

5. A Systems Approach

5.1. The Role of Systems Engineering

  • Systems engineering is ‘A rational approach to decision making related to the solution of complex problems in engineering planning, design and operation”
  • Systems engineering is the most relevant approach to designing digital business systems
  • rational approach to decision making related to the solution of complex problems in engineering planning, design and operation
  • The aim here is to apply systems engineering thinking, not to reinvent systems engineering
  • SSM has been ill served by its commentators, many of whom (sic) demonstrably write on the basis of only a cursory knowledge of the primary literature
  • The description here is a high-level summary of the systems approach
  • Systems engineering practices are useful tools for the security architect

5.2. Why a Systems Approach?

  • Complexity is a primary issue
  • Top-down decomposition of the system into sub-systems enables complexity to be transformed into simplicity
  • The ‘black box’ concept is another aspect of systems decomposition and analysis
  • Black boxes take an input and transform it into an output
  • Black boxes assist in creating simplicity from complexity
  • Systems can be analysed into a logical flow through a series of black boxes
  • A systems approach provides a structured framework in which to work

5.3. What Does the Systems Approach Make You Do?

  • Write down what you really need
  • to write down what you really need
  • If you can’t write it down, you haven’t thought it through
  • if you can’t write it down, you haven’t thought it through
  • ‘Writing down’ includes both diagrams and text
  • Structured review and feedback is a peer-review process
  • Communication and preservation of ideas

5.4. The Need for Systems Engineering in Security Architectures

  • Systems engineering addresses complex problems
  • Modern business systems are becoming more and more complex
  • Complexity is destabilising unless you have tools to manage it
  • Systems engineering techniques provide the tools for managing complexity

5.5. Some Basic Concepts

  • The system seen as a collection of component parts and actions
  • System objectives should be mapped to business requirements
  • Starting with only technical objectives is a common fault
  • Incorrect objectives lead to poor solutions
  • The system environment is outside of your control, but you must consider its influences
  • influence
  • System resources are within the system boundary
  • Top-down decomposition into nested sub-systems reduces overall complexity
  • Sub-system design must take account of overall system goals
  • Management implies the ability to measure
  • Management is concerned with ensuring that the objectives are met
  • ‘Performance’ here has a wide meaning
  • Business Attributes provide a technique for normalising objectives and measuring performance

5.6. The Control System Concept

  • Control loops are used in control systems
  • Feedback control is the most common
  • A feedback loop is constructed from three basic sub-systems
  • Measurement information is fed back through a decision module to a control module
  • Control loops are used to manage security in business systems

5.7. Using the Systems Approach in Security Architecture

  • A systems approach helps in the design of secure systems
  • Use broad business-based definitions of objectives
  • Always include the environmental elements
  • Threats are environmental; vulnerabilities are within the system
  • Use decomposition into subsystems to reduce complexity
  • Meaningful monitoring and measurement is the key to successful system management
  • meaningful

5.8. Case Study

  • all
  • all

5.9. Advanced Modelling Techniques

  • Advanced techniques for those with a deeper technical interest
  • Business process engineering applies system concepts to business
  • Certain processes are common to many enterprises
  • A meta-process is used to manage processes
  • Business process engineering uses top-down decomposition
  • Business process engineering leverages new technology
  • Business processes are built up from individual functions
  • Business processes need to be managed at a process level, not just a functional level
  • Higher-level systems depend on their constituent lower-level components
  • The AND relationship
  • The OR relationship
  • AND increases risk; OR decreases risk
  • Can be applied to sophisticated risk modelling
  • Traffic light systems have finite states
  • Finite state machine is another system modelling tool
  • The model comprises states, state variables, state transitions and events
  • All of the finite number of states must be identified
  • all
  • Predicates govern the selection of the appropriate outgoing event
  • Specific actions are local responses to incoming events
  • FSMs behave atomically
  • FSM modelling is applied to interactive protocols in systems
  • Security architectures embody many interactive protocols
  • FSM modelling is a tool for guaranteeing high levels of assurance in systems
  • Types of high-assurance system
  • High levels of assurance require comprehensive model checking and possibly formal specification languages
  • This section offers a brief introduction to FSMs, not a comprehensive treatment of the subject
  • New security-specific techniques such as trust modelling and domain modelling will be introduced later in the book
  • Systems Engineering
  • Systems Thinking Systems Practice
  • Systems Engineering

6. Measuring Return on Investment in Security Architecture

6.1. What Is Meant by ‘Return on Investment’?

  • Return on investment is concerned with evaluating the payback
  • Insurance is not a good analogy for security
  • If security is good, there are no incidents — nothing happens — which makes it hard to demonstrate benefit
  • ‘Return of value’ is perhaps a more useful phrase

6.2. Why Do You Need Metrics?

  • Some famous quotations about measurement
  • The ‘can’t measure, can’t manage’ maxim from Drucker is especially useful
  • Many people need measurements
  • The information security manager needs measurements
  • The team members need measurements
  • Senior managers need measurements
  • Measuring security performance can be challenging. The SABSA®Business Attributes Profile provides a useful approach

6.3. The Security Management Dashboard

  • The concept of an instrument panel or dashboard is useful
  • The measurements and the reporting of them is an important element in feedback control loops
  • The dashboard provides the means to assess the status of the security management process
  • The domains of activity follow accepted wisdom
  • Success depends upon diligence in all three domains
  • There are a number of ways to provide the measurements

6.4. The Balanced Scorecard Approach

  • Balanced Scorecard is a general business performance measurement methodology
  • BSC combines financial measurements with other more qualitative methods
  • BSC translates strategy into performance measures
  • There are four perspectives for the measurements
  • The four perspectives form a layered architecture model
  • Here are some of the benefits of using BSC
  • BSC is the first step towards becoming a Strategy-Focused Organisation
  • Strategy-Focused Organisations operate on five principles
  • BSC is highly suited to new strategies and organisational alignment
  • There is considerable harmony between BSC and the aims of a security architecture programme

6.5. Business Drivers and Traceability

  • Which of the many possible metrics that could be displayed on the dashboard should you choose?
  • If security is difficult to measure, risk may be easier
  • Risks tend to be the negative side of Business Attributes
  • Business drivers for security are closely related to these Business Attributes
  • Business drivers are part of the contextual security architecture
  • A layered architecture approach gives bi-directional traceability
  • This layered framework ensures that every component and every operational procedure is there because at the top of the model there is a business driver that eventually is satisfied by these elements
  • Every solution is traceable back to and justified by some business requirements

6.6. Business Attributes and Metrics

  • The taxonomy of Business Attributes is based entirely on practical experience
  • New Business Attributes are added as experience grows
  • The taxonomy is classified under seven headings
  • Business Attributes can be used in one of two ways
  • A one-to-one mapping between Business Attributes and business drivers is not a necessity
  • Traceability is derived from the cross-mapping of Business Attributes and business drivers
  • The actual metrics you use must fit into your specific business model
  • There are hard, quantitative metrics and soft, qualitative metrics

6.7. Setting Up a Metrics Framework

  • Having selected the Business Attributes, you need to select your measurement approach
  • Further examples
  • The metrics provide the means to monitor ongoing performance of the security management programme
  • Independence of the reporting should be preserved

6.8. Maturity Models Applied to Security Architecture

  • Capability maturity models have been developed at Carnegie Mellon University
  • CMM uses a domain structure called Process Areas
  • CMMs have been developed in several application areas
  • The CMM concept has also been developed for system security engineering
  • The SSE-CMM uses both Capability Levels and Process Areas
  • Definition of a Process Area
  • Definition of a Base Practice
  • Tables show examples of the practices used in SSE-CMM
  • The CMM concept is very good, whether or not you use this specific version of it
  • CobiT is an open standard for the IT Governance Institute
  • The CobiT Management Guidelines
  • CobiT Key Indicators
  • The CobiT CMM
  • ad hoc
  • The CMM is used to benchmark the enterprise
  • Visual presentation of the benchmarking results
  • A CMM can be used directly to report progress to senior man
  • Using a CMM requires some sophistication on the part of the management team
  • It is not always appropriate to aim for the top of the scale
  • Benchmarking measures performance against an external standard
  • You need self-assessment for benchmarking
  • The benefits of benchmarking play to your need for measuring return on investment

7. Using This Book as a Practical Guide

7.1. Using the SABSA® Model to Define a Development Process

  • The SABSA®Model previously introduced is the basis of the development process
  • Development is sequential, except for the operational layer
  • There is a natural sign-off and buy-in milestone after the conceptual layer
  • The design phase follows the sign-off and buy-in milestone
  • Completion of the design phase is another major milestone
  • After implementation comes the manage and measure phase
  • The four phases form a cycle – an architecture lifecycle
  • Each phase is described in detail below

7.2. Strategy and Concept Phase

  • The diagrams show the detailed processes
  • You begin by collecting business requirements
  • The business requirements populate the first row of your architecture matrix
  • The format as a row in the matrix is for presentation only — the information is physically held in a series of working documents
  • ad hoc
  • By analysing and synthesisingyou create the deliverables
  • Detailed flow charts of activity are shown in the diagrams
  • The process diagrams are arranged in columns
  • Off-page connectors indicate the linkage to other flowcharts
  • The flowcharts show key input sources
  • The Business Attributes Database is applied twice
  • The Threats Database prompts your thinking on risk assessment
  • Fitting together the two layers of this phase
  • The assets of the business are conceptualised in the Business Attributes Profile
  • The success factors and mitigation of risks are conceptualised as control objectives
  • The entire business model drives the security strategy at the conceptual layer

7.3. Design Phase

  • Design only begins when you have sign-off to the Strategy and Concept phase
  • Sometimes your work must begin somewhere in the middle of the process, utilising earlier work that precedes it
  • If you have to start in the middle, you should validate previous work
  • The design authority takes responsibility for the integrity of the design
  • The detailed development process is shown in the flowchart
  • The business information model is a prerequisite
  • The business process model is a prerequisite
  • A functional specification is part of the logical architecture
  • Functional specifications are usually associated with specific projects
  • Where future projects conflict with the architecture, a resolution process is needed
  • The detailed flowchart shows the development process
  • The detailed flow-chart shows the development process
  • Operational people must be involved in designing the operational security architecture
  • At this stage you develop only the framework for the operational processes
  • Further insight into how it all fits together
  • Case study example on directory architecture

7.4. Implementation Phase

  • Infrastructure projects rarely get business support
  • Enterprise-wide security architecture will never be implemented as a single project
  • Implementation of architecture is fragmented — one project at a time
  • Architecture governance is needed to ensure that projects comply
  • The detailed flowchart shows the implementation process

7.5. Manage and Measure Phase

  • Manage and Measure is concerned with operational aspects
  • Operational costs are usually the greatest contributor to total cost of ownership
  • Measurement is required to feed back to senior management the success story
  • The detailed flowchart shows the management and measurement process
  • Security architecture must live and breathe — it changes over time

8. Managing the Security Architecture Programme

  • Now that you know how to say it, what do you want to say?
  • Identify specific business problems in your organisation and explain how you can help to solve these problems
  • Build a return on Investment model specific to your organisation
  • Leverage the fact that senior management already understands economies of scale
  • Remind the directors that you are protecting their personal liabilities under the law

8.1. Selling the Benefits of Security Architecture

  • You need to sell your programme to the senior management team
  • How sell an idea and influence opinion
  • These rules for communicating are unfamiliar to those with a traditional scientific education
  • A successful security architect applies these rules in many different ways
  • Appeal to the senior management focus on overall business risk management
  • Diligent risk management is part of good corporate governance
  • Internal auditors have different roles in different organisations
  • Emphasise the benefits of being well-prepared for the internal auditors
  • Extend the idea to preparing for the external auditors
  • The business analysts are very powerful influencers
  • Analyst opinion affects share price, which is critically important to senior management
  • Quote the analyst reports to support your case
  • Fast time to market is often an important business driver
  • Security architecture helps to promote a fast turnaround on projects
  • Common security services and mechanisms are the key success factors
  • Development speed must also be traded against assurance – security architecture helps here too
  • Frequent business reorganisation is commonplace
  • Monolithic security architecture presents an obstacle, but domain-based security architecture makes reorganisation easy to manage
  • Security domains are a key concept of the methodology
  • Operating costs usually dominate the overall cost model
  • Look out for places where there are high operating costs and where the security architecture can provide large cost savings
  • Statistics on how long it takes to resolve user problems are often available
  • Use the available statistics to assess how much productive time is lost through user problems
  • Make sure the security architecture specifically addresses these productivity losses
  • The concept of a standardised desktop configuration is often used to optimise the help desk efficiency
  • Outsourcing ICT operations, including certain security management operations, is popular
  • Outsource the operational implementation of security policy — not the setting of security policy
  • Design the security architecture keeping in mind an outsourcing strategy for security operations
  • Cost saving has already been identified in earlier discussions
  • Make sure you identify the potential cost savings specific to your organisation
  • Trust is an attribute of relationships. Technical systems are used to protect that trust
  • already
  • Business is based on trust. Electronic and digital business also need to support and protect that trust
  • Key security services are used to provide this protection of trust
  • The login process is often a source of major frustration through inconsistencies in the user experience
  • Standardising the login user interface is one of the major benefits of a security architecture
  • Single sign-on offers the most efficient login interface but is controversial with regard to its vulnerability of a single password
  • Although multi-factor authentication can solve the technical vulnerability of a single password, it still raises many other significant issues

8.2. Getting Sponsorship and Budget

  • Getting sponsorship depends upon being able to sell the benefits to budget holders
  • Key influencers of budget holders are also a good target for you
  • Here are some points that might help to persuade those whose support you seek

8.3. Building the Team

  • The security architecture programme is a team game
  • Definition of a team
  • Belbin’s research into team roles provides a very useful model
  • Research shows that teams based objectively on these roles are more successful than those selected by subjective intuition
  • Subjective selection of team members does not usually produce the right mix of skills
  • Examples of poor team configuration are common
  • In knowledge-based working, team members must be empowered and must buy in to the team objectives
  • Empowerment must include some risk-taking and incorporate a tolerance of mistakes
  • Team development has four identifiable phases
  • Effective teams have certain characteristics
  • Team dynamics are nothing new, but they will impact the success of the security architecture programme

8.4. Getting Started: Fast Track™ Workshops

  • Getting everyone started and ensuring their buy-in can be challenging
  • You could use this book get everyone to read it!
  • The authors have successfully used Fast Track™ workshops to overcome this challenge
  • Fast Track™ gets the key players to experience every aspect of the programme in a short time
  • The workshops are based on small syndicate groups
  • Each topic is treated in turn
  • Some types of people such as senior managers attend only a restricted subset of the workshops
  • Every Fast Track™ is tailored to the specific needs of the client organisation
  • There is a post-workshop report that summarises the output from the workshops
  • The objective of Fast Track™ is to create a realistic programme plan
  • If you want to explore this approach, please make contact

8.5. Programme Planning and Management

  • Professional programme and project management is an essential ingredient for success
  • Being a good team leader does not necessarily imply good project management skills

8.6. Collecting the Information You Need

  • You will need to collect certain information about the organisation
  • Collecting information on the business is critical to the SABSA®process
  • You need to get access to the most senior managers that you can reach
  • Use a senior champion to help secure the interviews with the right people
  • A senior management interview is a great opportunity
  • It also carries some risks
  • Here are some ideas on the types of questions to use in a senior management interview
  • Some questions can be very sensitive
  • The questions here will provide you with a general idea of the type of approach to take
  • Encourage an open response
  • Validate your understanding of the information provided
  • Executives and managers can have conflicting requirements
  • Understand the best way to record interview results
  • The skill of the interviewer is critical — make sure you use on-the-job training to develop these skills
  • Some senior interviewees can be quite hostile
  • Existing documents and reports can be a good source of material, especially the annual report and accounts
  • Other existing documents are also potentially very useful
  • In your organisation there will be other specific sources that you can identify
  • Technical information is relatively easy to collect
  • The relationship with technical managers is also significant in getting agreement about solutions

8.7. Getting Consensus on the Conceptual Architecture

  • You will need to gain consensus on the conceptual security architecture
  • The clear division of lifecycle phases is to emphasise this point
  • You must build and maintain strong relationships with the key players
  • Find out what makes them tick
  • Foresee difficulties and manage expectations
  • Gain consensus through open forum workshops
  • Pre-selling the ideas ensures success at the workshops
  • Politics and diplomacy are necessary to your success

8.8. Architecture Governance and Compliance

  • Security architecture is a strategic road map that should be followed by all projects
  • To be successful, there must be a way of ensuring that all projects comply with the architecture
  • Controlling budget sign-off is a good tool to ensure compliance
  • The Architecture Board is the mechanism by which compliance is governed
  • The Architecture Board approves the architecture and approves projects as being compliant
  • Here are some ideas on membership of the Architecture Board
  • A possible substitute for the Architecture Board is an ISO17799-style steering committee
  • The Design Authority is a single person accountable to the Architecture Board for compliance of a given project

8.9. Architecture Maintenance

  • Despite the durability of an architecture, changes will be needed
  • Business requirements change over time
  • New technologies emerge and need to be integrated because of new benefits they bring
  • Practical operating experience also exposes flaws and suggests new approaches
  • Architecture maintenance should be under the governance of the Architecture Board

8.10. Long-Term Confidence of Senior Management

  • You must maintain the momentum of senior management support
  • No flow of deliverables will lead to loss of confidence
  • Manage expectations
  • Management Teams
  • Teamwork
  • Psychological Bulletin

9. Contextual Security Architecture

9.1. Business Needs for Information Security

  • SABSA®Matrix cross-reference
  • ICT has become pervasive in modern businesses
  • The value of information security is related to the business value protected
  • This chapter provides a list of important things to investigate
  • Business drivers identified in this chapter are the primary inputs of the SABSA®Methodology

9.2. Security As a Business Enabler

  • SABSA®Matrix cross-reference
  • Information security can enable business that would otherwise be too risky
  • Electronic publishing needs security to protect against unauthorised copying
  • On-line music and movies also need protection against theft of the material
  • All digital entertainment media have this requirement
  • Restricting access to a value added service makes it a commercial proposition
  • Electronics is widely used in process control
  • Once the control is removed to a remote location, security becomes an important issue
  • You do not have to run a factory to have remote process cortrol issues
  • Network management is a case of remote process control
  • Many network management systems have a very poor level of security
  • Large businesses are often dependent upon successful management of the supply chain
  • ICT is frequently used to improve supply chain management
  • Where It is applied, there are many security issues to address
  • The Internet and the web are frequently used for research purposes
  • Trust in the sources of information is an issue
  • Authentic service providers who charge for services need to protect their revenue

9.3. Digital Business

  • SABSA®Matrix cross-reference
  • ‘Digital business’ is post dot-com terminology
  • ‘Digital business’ defined
  • The lifecycle of the dot-com rise and fall
  • Reasons for the dot-com phenomenon
  • What you need to do next to recover after the dot-com crash
  • Enterprise security architecture is part of the recovery process
  • Banking has been an early adopter of information and communications technology for many years
  • Banks are also very experienced in the deployment of information security
  • There are always new exploits emerging
  • Important message to all customers
  • Please read this important message about security. We are working very hard to protect our customers against fraud. Your account has been randomly chosen for verification. This is requested to us to verify that you are the real owner of this account. All you need to do is to click on the link below. You will see a verification page. Please complete all fields that you will see and submit the form. You will be redirected to the IBFS iBank home page after verification. Please note that if you don’t verify your ownership of account in 24 hours we will block it to protect your money. Thank you
  • Electronic purchasing is a popular application with many benefits
  • The main benefit is bringing rogue buying under control
  • Fraud prevention is the main security focus
  • eGovernment should provide better service to the citizens
  • There are also concerns about government exerting too much control over citizens
  • There are many security requirements for successful eGovernment

9.4. Operational Continuity and Stability

  • SABSA®Matrix cross-reference
  • Revenue generation depends upon operational continuity
  • ICT has been applied to improve customer service levels and to make customer service into a competitive issue
  • If you raise expectations of customers, you must deliver to those expectations
  • If customer service is a key differentiator, it is worth protecting
  • Reputation is difficult to measure
  • Operational incidents do impact on reputation, but how much?
  • Reputation failure is unpredictable — so you must limit the risks that you take with it
  • Protecting reputation is an individual thing
  • Management information helps you to keep control of your business
  • Management information needs to be accurate and timely
  • Some regulated industries require an operating licence
  • Regulation is a strong business driver for information security
  • In organisations where the employees are key to success, you need to maintain their confidence
  • Professional employees are tuned into management performance, including security management
  • Employees need to feel trusted and empowered to do their work
  • Employees must be protected against personal abuse and false accusations
  • Personal privacy in the use of corporate systems is a sensitive issue
  • Reasonable personal use of corporate systems is probably a wise middle ground to seek out
  • Shareholders have several windows through which they see the workings of the organisation
  • Corporate governance is an issue for shareholders
  • Satisfying the auditors and analysts is the key to maintaining shareholder confidence
  • Some organisations do not have shareholders
  • Government organisations are susceptible to sweeping changes reflecting political policy changes

9.5. Safety-Critical Dependencies

  • SABSA®Matrix reference
  • Safety-critical systems defined
  • Hacking into remote communications to safety-critical systems is a major security issue
  • Applied cryptographic techniques provide a large part of the solution
  • Authentication of communications to a remote safety-critical system is a particular requirement
  • Authentication of support documents in the civil aviation industry is also important to prevent all methods of logical attack
  • Assurance of correct working is a key requirement for safety-critical systems
  • The main issue is assurance of no unwanted functionality
  • Security of safety-critical systems has demanding requirements

9.6. Business Goals, Success Factors and Operational Risks

  • SABSA®Matrix cross-reference
  • Brand is one of the most valuable assets of any organisation
  • Fraud is nothing new but there are new ways to commit fraud
  • Computer systems can be a means to commit fraud
  • ‘Computer fraud’ is committed by people, not computers
  • There are many operational risks that can lead to business losses
  • Business continuity management requires security management of systems to ensure continuous service
  • Business continuity is a key business driver for the information security architecture
  • Security architecture supports strategy
  • Business strategy calls for good governance and accountability
  • Legal factors are another major business driver for information security architecture
  • The Business Attribute Profile will help you to identify the relevant legal drivers
  • Every business has many key stakeholders
  • Maintaining stakeholder confidence is a key driver for your security architecture

9.7. Operational Risk Assessment

  • SABSA®Matrix cross-reference
  • Operational risk defined
  • Risk assessment is needed for the contextual security architecture
  • To assess risk you need a suitable model
  • Estimating the likelihood of an event is complex
  • Risk assessment is an important part of the methodology in this book
  • Quantitative threat assessment is unrealistic for most organisations
  • Intelligence gathering is also unrealistic for most organisations
  • Vulnerability assessment is much more realistic
  • A typical risk assessment method
  • To understand threats you need a modelling framework
  • A taxonomy of threats is included to help you
  • The first dimension is the threat domain, based upon the definition of operational risk
  • The classification scheme has two dimensions
  • The domains explained and described
  • The second dimension is the threat category, based on experience and observation
  • To gain greater insight into threats you can construct threat scenarios
  • The main reason to do risk assessment is to identify the most important risks in order of priority
  • A qualitative method of risk assessment is described here
  • Risk mitigation is the process of setting control objectives and implementing controls through the security architecture
  • This is a key contextual/ conceptual interface

9.8. Business Processes and Their Need for Security

  • SABSA®Matrix reference
  • Interactions require identification, authentication and authorisation
  • Methods of communication have an important effect on your security architecture
  • The applications also drive the security architecture
  • You need to look at threats, impacts and vulnerabilities for each form of communication
  • There are many forms of electronic business transactions
  • You need to examine your transactions to define your security reuqirements

9.9. Organisation and Relationships Affecting Business Security-Needs

  • SABSA®Matrix cross-reference
  • Organisational drivers for information security

9.10. Location Dependence of Business Security Needs

  • SABSA®Matrix cross-reference
  • The Internet has made business much less dependent upon relative location of the players
  • Many people now work from remote locations
  • Virtual teams are spread across the world using ICT to communicate
  • Data networks connect distant physical offices into a single logical office
  • Some virtual companies have no office at all
  • More business drivers

9.11. Time Dependency of Business Security Needs

  • SABSA®Matrix cross-reference
  • To attack a secure system takes time
  • To detect an attack and to react takes time
  • Time Based Security

10. Conceptual Security Architecture

10.1. Conceptual Thinking

  • Conceptual architecture is about being able to design the forest rather than the trees
  • Conceptual architecture is about the big picture
  • This book is designed to help you be a successful security architect

10.2. Business Attributes Profile

  • SABSA®Matrix cross-reference
  • The taxonomy of Business Attributes captures many years of practical experience
  • Business Attributes are used in two different ways
  • Your Business Attributes Profile is a conceptual representation of your business
  • The Business Attributes Profile is a powerful tool
  • The Business Attributes Profile is an important part of your conceptual security architecture
  • The Business Attributes Profile provides the target for the measurement phase
  • This integrates the Manage and Measure phase with the Strategy and Concepts phase

10.3. Control Objectives

  • SABSA®Matrix cross-reference
  • Control objectives state the desired result of implementing controls
  • Control objectives can be generic good practice or specific to a business need
  • Control objectives conceptualise the Business Risk Model
  • The control objectives form an interface between the contextual and conceptual layers
  • There are several sources of generic ‘good practice’ control objectives
  • The control objectives form a core part of the conceptual security architecture

10.4. Security Strategies and Architectural Layering

  • SABSA®Matrix cross-reference
  • There are many approaches to layering and security strategy
  • Security architecture is not the same as software architecture
  • Increased effectiveness is achieved by multiple layers of security of different types
  • Multi-layering of security avoids any single point of failure — if one control fails, another will be effective
  • Improved effectiveness is also achieved through multitiered security services
  • A comprehensive list of security service is inChapter 11
  • You need some security infrastructure to support security services
  • The infrastructure architecture should be layered
  • Network and platform security is distinct from application security
  • The distinction of security domains for networks and platforms supports an outsourcing strategy
  • To facilitate integration of real-world components you need a common security services API architecture
  • The API model is purely conceptual
  • To make this API model work, the software architecture itself has to be properly designed
  • This requires some in-house development
  • This approach allows the integration of components from many different vendors
  • Third-party applications are integrated using an application adaptor
  • Application adaptors are software modules that provide a conversion interface
  • Common security services are integrated as if they were applications
  • Applications security architecture is a specialist area
  • Legacy applications are often constructed on a stovepipe architecture
  • The ‘stove-pipe’ architecture arises through lack of planning and coordination
  • This stovepipe approach makes integration difficult
  • Modern architectural thinking leads to the daisy model of application architecture
  • The ‘daisy’ architecture concept is well-aligned with providing common security services
  • Which security services are appropriate at which layer?
  • Application security is about authorisation
  • You need an authorisation process
  • Logical access control enforces authorisations Front-end authentication
  • Back-end audit trails
  • Security administration for creating and editing
  • The Six As of application security
  • Legacy systems are often self-contained and difficult to integrate
  • An integrated application security architecture has major benefits
  • Role-based access control is a conceptual approach needed to deliver these benefits
  • Application level communications
  • Network security and applications communications security are not the same thing at all
  • Network security protects network resources; application security protects application resources
  • There is widespread use of data encryption in network layers
  • Middleware organises the logical service view of a distributed system
  • Explicit security services — called explicitly by the application through an API
  • The application may need to receive a result for its
  • Implicit security services — provided by the middleware transparently to the application
  • The middleware has physical location knowledge and can apply location-dependent context rules
  • Middleware security services are provided independently of any other layer
  • Explicit security services are called through the common security services API
  • There may be constraints on implementing the middleware security architecture due to lack of functionality in vendor products
  • Middleware security requires cross-platform inter-operability
  • Data management has its own special security requirements
  • Data management must implement authorised (controlled) access to data
  • Data management subsystem security services
  • Data management subsystem security management services
  • Information transfer (network) sub-layering
  • Network management embraces the managing of security services in the network
  • Network security is not there to protect applications or their data
  • Separation and independence of application security and network security is the best architectural approach
  • These segregation concepts are controversial
  • The VPN concept provides limited protection of confidentiality of data being transported
  • Other types of protection beyond confidentiality of data are not possible in the network layer
  • Network layer security mechanisms have limited value
  • Confidentiality services at the network layers suffer the residual risk that the application is unaware if the encryption is turned off
  • Network security strategy has many facets
  • Processing layer refers to platforms
  • Platforms also have operating systems
  • Principles of platform security
  • Platform security services
  • Generic access control subsystem architecture
  • Access control decision making process
  • Integrated access control in many legacy systems creates architectural problems
  • A strategic role-based access control architecture can alleviate these problems
  • The use of roles decouples users from target applications for the purposes of administration
  • CAM decisions
  • CAM enforcement
  • system decisions
  • Target system enforcement
  • RBAC brings many benefits
  • Remote communications between the distributed parts of the RBAC subsystem is protected by cryptography
  • User-to-machine interaction is also decoupled from the network communications to the authentication server
  • Network transmission of passwords is replaced by cryptographic authentication exchange protocols
  • Decoupling has the added advantage of architectural flexibility for future upgrades
  • Two-factor authentication with token devices can be used to strengthen the user-to-machine interaction
  • Biometrics offers some interesting possibilities but is immature and controversial
  • Managing security services
  • Securing management services
  • The TMN model for service management architecture
  • TMN is in harmony with the SABSA®approach
  • Other standards for service management architecture
  • Systems assurance defined
  • Cross-reference toChapter 17
  • Tools used to develop high assurance
  • Cross reference toChapter 9
  • Directory service is one of the common security services in the example of security infrastructure architecture
  • Directory objects
  • Directory functions
  • Directory access control
  • Directory integrity and availability
  • Directory security management strategy
  • Important management issues for directory architectures
  • Directory object types
  • Entity classes
  • Directory schema
  • User-class attributes
  • Using security equivalence for ease of administration
  • Users with multiple contexts require multiple user-class objects
  • Directory structure and objects
  • PKI will have its day again
  • We shall describe only the basic principles
  • What public key cryptography provides
  • Digital signatures
  • Public key encryption
  • Non-repudiation requires a trusted third-party arbiter
  • Conditions for the scheme to work
  • PKI defined
  • PKI strategy for the future

10.5. Security Entity Model and Trust Framework

  • Security entities defined
  • Security entities as subjects
  • Global unique naming of entities
  • The directory as repository for entity information
  • Entity relationships
  • Trust in entity relationships
  • Trust in the merchant-customer relationship
  • Two-way trust
  • Buyer trusts merchant
  • Merchant trusts buyer
  • Trust is a relationship attribute, not a technical attribute
  • Levels of trust are variable
  • If trust can be sold as a service, who is the customer?
  • trust broker
  • Specific examples show the way
  • Buyer trusts claims of quality
  • Seller trusts good faith on payment method
  • Trust implies a claim by one party that is relied upon by the other party
  • One-way trust is the lowest common denominator of all trust relationships
  • Real business relationships imply complex two-way trust — which can be analysed into simple components
  • Looking for solutions for protecting trust
  • PKI plays a part
  • The relying party is the customer for trust broker services
  • Trust brokers must offer liability cover to add value
  • liability
  • Original academic models of trust services were flawed
  • Trust services have to be based on a true business model
  • Trust broker services must meet the needs of the relying parties
  • The trusted transaction as the unit of ‘product’
  • trusted transaction
  • The credit card analogy shows how it should work
  • The services on sale are trust and liability management
  • trust
  • There may be a registration fee
  • The relying party wants assurance from the trust broker of trust in a given claim by a claimant
  • Transitive trust
  • transitive trust
  • Transitive trust can be reduced to a series of simple one-way trust relationships
  • Pricing and service packaging are commercial
  • E-mail trust services are more likely to be subscription services
  • Analysing a business application to determine the trust services
  • Trust service providers need to understand their market
  • Authorisation certificates provide a mechanism for trust brokers to communicate their trust
  • Managing the lifetime of authorisation certificates is a business risk-driven issue
  • Total real-time risk exposure can be monitored
  • Real-time authorisation addresses several architectural issues
  • Multiple trust brokers
  • Chains of trust
  • chain of trust
  • Identrus — the solution adopted in the banking industry
  • Variable levels of trust
  • Strength of registration process is the key to trust
  • Low assurance registration
  • High-assurance registration
  • Verifying credentials often involves transitive trust
  • The relationship between level of trust and registration strength
  • Different levels of trust leads to different classes of digital certificates
  • The market for trust levels is still emerging

10.6. Security Domain Model

  • SABSA®Matrix cross-reference
  • The security domain concept is very powerful
  • Security domains defined
  • Security element
  • Security policy and security policy rules
  • Security policy authority
  • Isolated security domains
  • isolated
  • Independent security domains
  • independent
  • Agreements between independent domains
  • Sub-domains and superdomains
  • sub-domain
  • Trusted entities in a domain
  • Conditional and unconditional trust
  • unconditionally trusted
  • Trust is not necessarily two-way or transitive
  • Secure interaction rules
  • Agreed security services, security mechanisms and security information
  • Policy relationships in subdomains
  • Security association defined
  • Logical domain defined
  • Separation of logical domains by logical mechanisms
  • Physical domain defined
  • Separation of physical domains by physical mechanisms
  • Domain overlays are possible
  • One logical domain can span several physical domains
  • Many logical domains can share a single physical domain
  • How to apply the domain modelling tool to real situations
  • Digital business means opening up the enterprise
  • The fortress mentality is an age-old security model
  • Many legacy business systems have an eggshell model of security
  • For digital business you need something different from the eggshell approach
  • The first step is to put a gate in the hard perimeter
  • You need a more sophisticated view of trust on a continuous scale
  • A binary access control decision is not sufficiently sophisticated for a digital business environment
  • You need a much more flexible model for access control
  • The honeycomb concept
  • The egg and honey combination model
  • Multi-tiered security domains
  • Hierarchical filtering
  • Eggshells are usually physical domain boundaries
  • Honeycombs are usually logical domain boundaries
  • The overall access control strategy is a combination of the eggshell and honeycomb approaches
  • Eggshell maps to network security and honeycomb maps to application security
  • Use these concepts to model your business
  • Using these techniques helps you to create simple models representing highly complex environments
  • VPNs are useful but are not the solution for every problem
  • VPNs are constructed using encryption of the transmitted data stream
  • An open pipe interconnecting two domains forms a single domain
  • To segregate the domains you need to regulate the flow in the pipe
  • VPNs are frequently built between firewalls using IPSec technology
  • A VPN tunnel through a firewall can be built but has disadvantages
  • For extranet VPNs, the VPN client resides on the PC
  • A firewall is a network security gateway
  • Firewalls have limitations that are not always well-understood
  • The corporate domain is an island in the Internet sea
  • The firewall alone is ineffective — you need a good security perimeter, too
  • The remainder of the perimeter is mostly cultural
  • You also need a clear firewall policy
  • The firewall configuration needs proactive management

10.7. Security Lifetimes and Deadlines

  • SABSA®Matrix cross-reference
  • Fixed lifetimes prevent accumulation of dormant registrations
  • One to three years is a typical lifetime
  • Digital certificates must also be expired
  • Certificate life is less than registration life
  • Expiry is checked as part of acceptance of a certificate
  • Cryptographic keys must be limited in their exposure to cryptanalysis
  • Signature keys are retired from use, but previous signatures may still need to verified
  • Lifetime depends on security policy
  • Cryptographic keys may be archived for data recovery, implying an extended lifetime
  • Policy decays over time and needs renewal
  • Policy should stable between renewal times
  • Rules to implement policies may need to change frequently.
  • Passwords should be expired according to the security policy of the domain
  • Minimum lifetimes should also be applied to passwords
  • History files of previous passwords may be implemented
  • Issuing physical tokens is logistically demanding
  • Frequent redistribution needs to be avoided
  • Token issue should be
  • Undeliverable messages have to be managed
  • Time to live determines when delivery attempts are abandoned
  • Actions on expiry of time to live
  • Data storage should have a defined lifetime
  • Storage lifetime may apply to each phase of storage
  • Archiving lifetime for backup data
  • Continued support for reading long-term archived data
  • Secrecy lifetimes depends on business need and policy
  • Solutions must be selected with long-term secrecy requirements in mind
  • Limiting user session lifetimes prevents hacking opportunities
  • System sessions are used to limit exposure of cryptographic keys
  • The session lifetime determines the key renewal period
  • Dial-up session lifetimes are determined by connection lifetimes
  • Response time-out manages the problem of undelivered messages or responses
  • Time-out values depend on policy
  • Care is needed if messages have been actioned but acknowledgement fails
  • Inactivity time-outs deal with user carelessness
  • Hacking opportunities are reduced by inactivity time-outs
  • Actions on a time-out
  • The action chosen depends on circumstances
  • Time-out values are a policy matter
  • Time of day, day of week can be used to set access control contexts
  • Context rules can be local or central, depending on policy
  • Replay of previous messages can be a serious attack scenario
  • To prevent message replays, trusted time stamps can be used
  • One-time values allow detection of replays
  • Time is a useful concept for a nonce value, provided the time source can trusted
  • attractive
  • Nonce values detect replays — they do not prevent them
  • Trusted time service is an important common security
  • Trusted time service provides reliable time stamps for any applications that need them
  • Some applications require trusted time stamps
  • Trusted time can be delivered from the security infrastructure
  • Security processing impacts performance
  • Cryptographic processing poses the greatest problem
  • Hardware accelerator modules increase performance
  • Avoid heavy dependence on cryptographic processing that impacts time-critical processes
  • Disaster recovery must be achieved within business critical deadlines
  • Speed of recovery must be traded off against cost

10.8. Assessing the Current State of your Security Architecture

  • SABSA®methodology process-flow cross-reference
  • Planning for a programme of quick wins
  • Security Management

11. Logical Security Architecture

11.1. Business Information Model

  • SABSA®Matrix cross-reference
  • Information is the logical representation of the real business
  • Knowledge, information and data — how they are related
  • The properties of information
  • Static information has long-term stability
  • Dynamic information is unstable and changes
  • Information security requires certain services
  • Dynamic information requires additional protection services
  • The Business Attributes Profile defines the full range of services needed
  • Transaction processing has special security needs

11.2. Security Policies

  • SABSA®Matrix cross-reference
  • Security policy captures the requirements for security – what type and how much?
  • Security policy can be related to the security domain concept
  • Domain policy is set by the owner but a delegated authority (custodian) may implement policy on behalf of the owner
  • A security authority implements security policy
  • Security policy is derived from risk-based business requirements
  • Policy states what is to be done, not how
  • Hierarchical model of policy architecture
  • Integrated operational risk management policy
  • Top-level operational risk management policy
  • Cross-reference toChapter 14andChapter 15

11.3. Security Services

  • SABSA®Matrix cross-reference
  • Security services are logical descriptions, not physical
  • Security service types by defensive strategy
  • Security service examples under each defensive strategy
  • Security services need to work together
  • Integrating key security services
  • Uniqueness is critical
  • Registration prevents unauthorised participants
  • Public key certification prevents unauthorised public keys being used
  • Credentials certification prevents unauthorised credentials being used
  • Directory service is a complex critical piece of infrastructure
  • The directory holds an entry on every object
  • Objects of a similar type belong to an object class
  • Object classes can be subclasses of other super-classes
  • An entry is a set of attributes describing the object
  • Syntax rules support search and matching operations
  • A distinguished name reflects the structure in the directory tree
  • Directory functions provide access and management
  • Access is provide through an access protocol
  • LDAP functional groups
  • A search engine is used to match entries
  • Directory services are critical infrastructure needed by all other applications and services
  • Authentication and access control are needed to protect the directory
  • LDAP supports standard authentication methods
  • Access control is an issue for the implementer
  • Other security services are needed to protect the integrity and availability of the directory services
  • Inter-operability suggests international standards
  • Authorisation is multifaceted
  • Authentication of a claimant to a verifier
  • External reference of authentication
  • Defining terms
  • Possible parties to a scenario
  • No trusted third party
  • Third party intermediary
  • Key distribution for on-line authentication
  • Public key certificates for off-line authentication
  • Users are special entities
  • Users should be decoupled from the extended authentication exchanges
  • User AI may be supplied in many ways
  • Device authentication is simply a case of entity authentication
  • There are threats to remote communications between entities
  • Session authentication protects a communications session from being hijacked
  • A mutual authentication exchange is required
  • The best session authentication uses cryptographic methods and keys exchanged during the authentication handshake
  • Not all vendor claims to provide authentication in their products are necessarily sound
  • Proving that a message came from the claimed origin
  • Proving that a message remains unchanged
  • Origin and contents authentication can be combined
  • Message sequencing can also be protected
  • Protecting against the replay of previous messages
  • A one-time value protects against replays
  • Preventing the disclosure of message contents
  • Protecting against repudiation of a sent message
  • Sometimes seeing activity is enough to draw conclusions about events
  • Hiding peaks and troughs in traffic volumes

11.4. Application and System Security Services

  • Application security focuses on authorised access control
  • Previously discussed under entity security services
  • Roles provide a means to simplify access management
  • Roles can be used to segregate duties
  • First level central access control is also based on role
  • Real-time role association depends upon a number of factors
  • Theoretical models have been discussed previously
  • Three types of access control service
  • Providing evidence for later examination
  • Protecting against changes in stored data
  • Access control is one of the methods
  • Preventing disclosure of stored data
  • Greatest threat is from viruses and the like
  • Hackers can also insert malicious code
  • Multiple mechanisms are needed
  • You cannot completely eliminate the problem
  • Malicious characteristics are ‘undecidable’
  • New software must be acquired from trusted sources
  • Mechanisms are discussed later
  • Software licence control needs similar approaches to integrity protection
  • Protecting the integrity of configuration data
  • Data backup for system recovery
  • Software backup for system recovery
  • Time is used as a universally agreed value
  • The source of time values must be protected from tampering
  • Ease of use is critical for successful security

11.5. Security Management Services

  • Security management is both procedural and technical
  • A logical architecture for technical security management
  • Security management means applying policy throughout the environment
  • Policies also need to be managed
  • Discussed in more detail in the operational layer
  • Uses the same logical architecture
  • Uses the same logical architecture
  • Uses the same logical architecture
  • Reporting status from the distributed agents
  • Measuring performance against targets
  • Things that can be measured
  • Approaches to developing suitable security metrics
  • Handling unexpected events reported by agents
  • Detecting an attempted intrusion
  • Things that might signal an intrusion
  • Responding to security incidents
  • Steps in an incident response process
  • Automated response or manual response?
  • Progressive problems?
  • Minimal sustainable configurations for fall-back
  • Handling user-related security problems
  • Recovering after a major incident
  • Many mechanisms are involved
  • Handling the organisational aspects
  • Reporting on the status of security
  • Security of the physical sites and buildings
  • Ensuring the honesty and integrity of personnel
  • Securing against environmental threats

11.6. Entity Schema and Privilege Profiles

  • SABSA®Matrix cross-reference
  • A schema is a rule-set for what information can be stored
  • A schema has many benefits
  • Changes to data are checked against schema rules
  • Schema components
  • Attributes type definition
  • Objects belong to one or more object classes
  • Object class definition
  • Roles are associated with objects through special attributes
  • You need to design the schema to fit your needs for role management
  • The roles themselves are identified through business analysis
  • Some common role types
  • Examples of specific roles
  • Authorisations stored as data structures
  • Storing roles in the directory
  • Storing other types of credentials in the directory
  • Roles and credentials are also stored as objects that describe what they can do
  • Certificates and tickets are cryptographically protected sets of credentials
  • Certificates are sometime stored as attributes of an object with which they are associated
  • Tickets tend to be transitory in their lifecycle

11.7. Security Domain Definitions and Associations

  • SABSA®Matrix cross-reference
  • Logical domain specification is a powerful tool
  • Be clear about the difference between ‘logical’ and ‘physical’
  • An example
  • The example organisation has many business units and changes structure over time
  • There are numerous business partners who are granted limited access through a partner services domain
  • An extranet is used for external connections
  • No assumptions are made about the physical implementation of the extranet
  • There are home workers and road warriors
  • The external services domain provides a buffer zone
  • The intranet domain must be externalised through external services
  • Road warriors also need the partner services domain
  • The production domain is an inner sanctum to protect the business applications
  • Public web access through the Internet
  • The logical domain map is a critical design step
  • Middleware provides services integration
  • Middleware has within it a number of common service domains
  • This domain model is a different view of the same infrastructure seen in the network domain model
  • Your logical domain model should be specific to your business
  • Each service domain can be exploded up to a more detailed logical architecture view
  • Application sub-domains are roles
  • Users are in a people domain, information in an information domain
  • The extended application domain includes people and information
  • The security service management domain
  • A special case of an extended application domain
  • Domain interactions depend upon domain policies
  • An example of sub-domains and their policies
  • Policy interactions in the example

11.8. Security Processing Cycle

  • SABSA®Matrix cross-reference
  • The security processing cycle activities
  • Automated security processes
  • Defining the logical flow of each process
  • A more formal approach could use finite state machine modelling

11.9. Security Improvements Programme

  • SABSA®Methodology process flow cross-reference
  • Achieving quick wins
  • Keeping senior management satisfied
  • Understanding and Deploying LDAP Directory Services
  • Computers & Security
  • Understanding and Deploying LDAP Directory Services
  • may not

12. Physical Security Architecture

12.1. Business Data Model

  • SABSA®Matrix cross-reference
  • Physical layer focuses on data
  • This means files and databases
  • File systems offer discretionary access control
  • Files have permissions set by their owners
  • Files are locked during access to prevent concurrency conflicts
  • More details under platform security
  • File encryption as a means to protect confidentiality
  • Tamper-resistant devices can protect keys from disclosure
  • Hierarchical key management can be used
  • You need to be careful regarding the real entropy level of a password used to derive a master key
  • The entropy of the passphrase must be at least equal to the required entropy of the derived master key
  • The passphrase needs a physical secure backup for data recovery purposes
  • Practical key-management systems use these various methods
  • Cryptographic integrity checksums can be used on files
  • The DBMS offers a much richer set of functions
  • Concurrency of access is automatically managed
  • Database hierarchy
  • A database comprises tables
  • Tables comprise records
  • Records have fields
  • The DBMS automatically protects integrity
  • DBMS sub-systems
  • DBMS mechanisms
  • SQL is used for database access
  • SQL can be used to implement security mechanisms
  • Privilege conflicts are resolved in real time
  • Extensive audit logging
  • Implementing roles in a DBMS
  • Resource limitations
  • Mandatory access control as an extension
  • Multi-level secure implementations can be clumsy
  • Logical unity — physical distribution
  • Managing independent failures
  • Two-phase commitment
  • Physical storage on disks uses RAID for resilience

12.2. Security Rules, Practices and Procedures

  • SABSA®Matrix cross-reference
  • Rules are the interpretation of policies
  • Rules support automated decision making
  • ACLs contain rules
  • Rules are absolute — no interpretation is needed
  • Security practices describe behaviours
  • Security procedures give step-by-step instructions
  • Procedures are product-specific
  • Guidelines provide good advice
  • Implementation guidelines provide additional advice in specific circumstances
  • Cross-reference toChapter 14

12.3. Security Mechanisms

  • SABSA®Matrix cross-reference
  • A mechanism implements a service
  • Some (but not all) security mechanisms are described in ISO standards
  • Mapping mechanisms to services
  • Many mechanisms require little additional explanation
  • Some mechanisms are described in more detail
  • Full details can be found in specific references beyond the scope of this book
  • Cryptography supports four fundamental services
  • If the service is not a variation of these four, cryptography is not the answer
  • Cryptographic strength is most dependent upon key-length
  • Whatever the mechanism, key management is an issue
  • The encryption process transforms plaintext into ciphertext
  • Ciphertext is safely transmitted or stored, then later recovered through decryption
  • Asymmetric cryptosystems use different keys for encryption and decryption
  • One-way (irreversible) functions have many applications
  • Successful key management is the main challenge in any cryptographically secured system
  • Cryptographic checksums called seals, MACs and MICs
  • Hashing does not require a key, although it can be applied as keyed hashing
  • The checksums are regenerated by the recipient and compared with the original received checksums
  • Key management is also required
  • Public key cryptography
  • Public keys must be authentic — hence the digital certificate
  • Digital signatures prove integrity and authenticity and support non-repudiation
  • Efficiency requires a two-stage process with an intermediate hash value
  • The mechanisms for authentication exchanges
  • One-way, two-way and three-way exchanges
  • One-way authentication based on a security association
  • Extending to session authentication
  • Preventing the replay attack
  • Two-way authentication is an extension of one-way authentication
  • Three-way authentication uses random numbers in place of timestamps
  • Key management could occupy its own book
  • Principles of key management
  • The key management life-cycle
  • Two basic cryptographic architectures
  • In-line architecture for network-level encryption
  • Peer-to-peer key management
  • On-line architecture for application level cryptographic services
  • Sophisticated key management using master key hierarchies
  • Application types
  • Some broad indications of cryptographic strength
  • Algorithm strength is not the only important factor
  • Cryptographic design and assessment is a job for an expert
  • Some other cryptographic techniques
  • Strength depends on the attack capabilities of the opponents
  • Quantum computing may threaten public key cryptography as a useful technique
  • Quantum cryptography may provide the new key management solution
  • Workable systems for quantum cryptography are close at hand
  • All security mechanisms have potential vulnerabilities
  • Two cases studies provide some insight
  • The failure is of the protocol, not the algorithm
  • Once again this is a protocol failure

12.4. User and Application Security

  • SABSA®Matrix cross-reference
  • Security mechanisms to implement application-level security services
  • The CAM makes real-time decisions
  • DBMS mechanisms can be used for application security
  • File security mechanisms can provide application security
  • Discussed elsewhere under platform security
  • Mechanisms built by application developers
  • Proving a user’s identity
  • Password management raises a number of important issues to be considered

12.5. Platform and Network Infrastructure Security

  • SABSA®Matrix cross-reference
  • Infrastructure should resilient and fault-tolerant
  • Approaches to network resilience
  • Resilient host platforms
  • Capacity planning and performance management are closely related to resilience
  • Host computers run applications
  • A platform is hardware plus operating system
  • DAC file security is a standard approach
  • Common operating system security issues
  • Good practice for a production environment
  • Super-user privilege is a politically sensitive area
  • Super-user access is not the way to run professional operations
  • Lack of security at the physical hardware level has been a major issue since the invention of electronic computers
  • Traditional physical security has been through secure physical enclosure of the site, or by using tamper-resistant modules
  • These approaches suffer from limitations
  • New secure hardware architectures are needed
  • Intel has announced its LaGrande Architecture for secure hardware
  • Intel’s LaGrande is aimed at beating malicious software attacks
  • Design principles for LaGrande
  • A new generation of hardware architectures
  • Informing the user about a trusted path remains an intractable problem
  • Carrying forward the example from the previous chapter
  • Physical network topology
  • Main features
  • Physical directory topology
  • Resilient real-time mirrored masters
  • Geographical separation
  • Traffic management is an issue
  • Replica slaves provide the solution here
  • Frequency of replication
  • Managing consistency and convergence
  • Replication and currency of information
  • Dual local connections
  • Traffic patterns and convergence requirements influence your choice of physical architecture
  • Close integration of the directory and the CAM is a feature of physical implementation

12.6. Control Structure Execution

  • SABSA®Matrix cross-reference
  • Mechanisms for implementing control points in the flow of activities and events
  • Nature
  • Nature
  • The Cuckoo’s Egg
  • Internet Firewalls and Network Security
  • Understanding and Deploying LDAP Directory Services

13. Component Security Architecture

13.1. Detailed Data Structures

  • SABSA®Matrix cross-reference
  • Smooth integration requires compatible interfaces
  • International and de facto standards help to provide the compatible interfaces
  • Syntax rules for exchanged data structures is an important area for standardisation
  • ASN. 1 is used to build protocols
  • There are built-in type
  • Standard types for time values
  • Different types of character string
  • Structured types
  • Example protocol
  • Hierarchical type definitions
  • Object identifiers for registered universal objects
  • Binary encoding rules for ASN.1
  • XML is extremely flexible and can be used to create any type of’ document’
  • XML is the new generation of what used to be EDI
  • XML supports any type of electronic business and thus requires in-built security mechanisms
  • XML security standards are already available
  • XML has a much greater range of application than ASN.1
  • XML is less efficient than ASN. 1, but with bandwidth abundance this is unimportant
  • Where efficiency is important, ASN. 1 still has a role
  • ASN.1 structures are found embedded in XML documents
  • Examples of security-related data structures
  • XML offers the possibility of far more sophisticated data structures

13.2. Security Standards

  • SABSA®Matrix cross-reference
  • Standardisation allows components to be integrated into systems
  • There are many different standards from many standards bodies
  • ISO is worldwide
  • Supporting world business
  • ISO has important security standards
  • Bringing national and international standards into alignment
  • In the area of electrotechnical standards
  • Defining ‘electrotechnical’
  • Overlap with ISO
  • Co-ordinates working groups for Internet standards
  • Much activity on security standards
  • Organisational hierarchy
  • An RFC is an Internet standard
  • International harmonisation of security product evaluation
  • Brings the North American and European evaluation criteria together
  • Addressing a global market place
  • The US National standards body
  • Relevant standards series
  • The UK national standards body
  • Business continuity management standard being developed
  • Standards for international telecommunications
  • Some alignment with ISO and IEC
  • Technical engineering standards
  • Many adopted by ISO and IEC
  • Standards for information systems audit
  • Focus on IT governance
  • CobiT is an important standard
  • Standards for object-oriented architectures
  • New security protocol standard
  • Promoting web services and XML through standards
  • UN sponsorship
  • Primary body for XML development
  • Developing the full potential of the web though standards
  • World economic development
  • Security management guidelines
  • US government standards
  • US DOD standards
  • Australian standards
  • New Zealand standards
  • Security focus
  • Japanese industrial standards
  • Vendor collaboration on standards
  • Feeds into international standards
  • Security focus
  • European telecommunications standards
  • Serving the market needs of its members
  • Forum for electronic business
  • Diverse membership
  • Promoting the use of electronic business
  • Industry-wide interest
  • Platform and device security
  • Replaced the TCPA
  • Dedicated to practical research in information security
  • Standards are driven by the vendor community
  • Some vendors issue their own standards
  • Consistent good practice across the enterprise

13.3. Security Products and Tools

  • SABSA®Matrix cross-reference
  • Common types of security component

13.4. Identities, Functions, Actions and ACLs

  • SABSA®Matrix cross-reference
  • Modular components of web applications
  • Decoupling XML from business logic
  • Requirements for implementing web services
  • XML schema define the specific vocabulary to be used in a given application
  • SOAP is a simple, lightweight messaging framework
  • The messages comprise a body and a header
  • Routing is handled through a series of SOAP Nodes
  • Security service definitions are changing quickly
  • Encryption of XML documents
  • Digital signatures on XML documents
  • Digital signatures on SOAP messages
  • Key management for XML applications
  • Support for basic services
  • A language focused on security management
  • Unique identification
  • Authentication and authorisation
  • Trust assertions address wide issues of trust
  • Implementing conceptual trust models
  • Deployment of trust services as a special type of web service
  • Premium trust services
  • Future developments
  • New standards
  • Supporting security assertions
  • Another method of supporting security assertions
  • Lightweight approach
  • Not fully functional
  • Competing approaches
  • Expressing security policy to implement access control
  • Combining and resolving the interaction of complex rules
  • Automated reporting of business and financial information
  • Statutory and compliance reporting using XBRL
  • Advantages of XBRL
  • Benefits of using XML
  • Malicious code insertion is the main style of attack
  • Security architecture must address these attacks
  • XML firewall design principles
  • XML firewall security services
  • Non-web applications are not covered in this chapter because of lack of space

13.5. Processes, Nodes, Addresses and Protocols

  • SABSA®Matrix cross-reference
  • Positioning of security protocols in the stack
  • Simplicity and ubiquity
  • A common transport protocol for everything XML
  • Modified HTTP
  • Secure encapsulation of HTTP
  • HTTP over SSL
  • SSL is a vendor standard
  • TLS is an Internet RFC
  • The benefits are often misunderstood
  • Strong encrypted pipe with server-side authentication
  • What are the real benefits?
  • SSL/TLS is only one component of a holistic security architecture
  • IPSec summarised: payload encryption and packet authentication
  • Limited traffic flow confidentiality
  • Flexible use of algorithms
  • Ongoing work
  • Often misunderstood in terms of what it can do
  • Not an application security mechanism
  • IPSec provides network security
  • Extension of DNS
  • Authenticating DNS lookups
  • Flexible security mechanism to support connection-based protocols

13.6. Security Step-Timing and Sequencing

  • SABSA®Matrix cross-reference
  • Actual timing will depend on component performance
  • Focusing on component interaction is the key to gaining the best solution

14. Security Policy Management

14.1. The Meaning of Security Policy

  • SABSA®Matrix cross-reference
  • Cross-references toChapter 11andChapter 10
  • Policy is more than just words
  • Security policy means something that is alive and well in the behaviour of the organisation
  • Security policy is unique to each enterprise

14.2. Structuring the Content of a Security Policy

  • How should a policy be structured?
  • The purpose of a policy is to influence behaviour
  • Its purpose is not to sit on a shelf
  • Ask yourself whom you are trying to influence
  • If the question is too difficult, the scope of the policy is probably wrong
  • Do not include material that has no relevance influencing the target audience

14.3. Policy Hierarchy and Architecture

  • The highest-level policy states senior management intentions
  • Detailed policies focus on specific groups of people and activities
  • The set of policies needed depends upon your business
  • Hierarchical model for policy architecture
  • Top-level operational risk management policy
  • Information security is part of operational risk management
  • CA and RA policies
  • Specific policies provide more detail
  • The lower layers of the hierarchy contain supporting documents
  • Rules, practices and procedures align with the physical layer
  • Standards align with the component layer
  • Implementation guidelines are sometimes needed
  • Example

14.4. Corporate Security Policy

  • The highest level of security policy
  • Corporate security policy is a topic in ISO 17799
  • Points to consider in writing a corporate security policy

14.5. Policy Principles

  • Principles that may help you to frame policy statements
  • Least privilege is proven to work well in some circumstances
  • Where knowledge is more important than information, least privilege is of questionable value
  • The role of knowledge engineer may require a special privilege profile
  • The US Government has access to a vast amount of information. But it has a weak system for processing and using what it has. The system of “need to know” should be replaced by a system of “need to share”.’
  • Information classification is one way to manage security policy
  • Information classification is originally a military concept to protect differing levels of secrecy
  • Objects are classified, and subjects are security-cleared for access to a level of classification
  • Multi-level secure systems handle multiple levels of classification simultaneously
  • Classification has also been applied to data integrity
  • Complex classification schemes can make business operations difficult
  • If classification is also applied to availability the complexity increases
  • Many classification schemes outside of the military environment are not clearly focused on meeting a business need
  • Classification leads to complex handling procedures for those who create and have access to documents and files
  • Classified information tends to drift upwards in the classification stack
  • Be clear about the added value and business purpose of a classification scheme
  • ISO 17799 mentions classification without a clear business focus
  • System classification offers a more practical way to manage security policy
  • Granularity is manageable with this approach
  • There are many benefits

14.6. CA and RA Security Policies

  • CA and RA policies are specific to PKI-based architectures
  • CA and RA Policy issues
  • PKIX standards describe a CP and CPS
  • CP definition
  • Level of assurance associated with a certificate
  • CPS definition
  • The CPS explained
  • Part of a legally binding contract
  • Online publishing of a CP or CPS
  • The CP and CPS are orthogonal
  • CPS supports trust, whereas a CP supports interoperability

14.7. Application System Security Policies

  • System classification as a means to simplify security policy management
  • Efficiency and consistency
  • Granularity is traded off against efficiency
  • An alternative policy matrix
  • Issues to be addressed in application security policy

14.8. Platform Security Policies

  • Policies are needed for platforms of all types
  • Security policy depends on both the technology and the environment
  • Granularity of policy needs to be limited for efficiency
  • One security policy per platform type
  • Cost/benefit trade-offs
  • Strategic principles of platform security policy

14.9. Network Security Policies

  • A security policy for each network domain and sub-domain
  • Security policies for VPNs and firewalls
  • Strategic principles of network security policy

14.10. Other Infrastructure Security Policies

  • Security policies for a variety of infrastructure elements

14.11. Security Organisation and Responsibilities

  • Managing information security requires an organisational framework
  • This framework must begin at board level
  • The CEO leads executive responsibility
  • You need someone at director level to take the senior management lead
  • The director in charge is a part-time role
  • The director chosen should be a natural champion of information security
  • It is best to segregate this director role from any IT responsibility to provide the business focus
  • A management steering group provides the forum for discussion of information security issues
  • The steering group must have powers and responsibilities that attract senior members to attend meetings
  • The chief information security officer leads the operational development of information security
  • Other roles in the management of information security
  • There needs to be a liaison group for communication with those with varied and distributed roles for information security management
  • The hierarchical committee model for information security management
  • Board responsibilities
  • Executive team responsibilities
  • Steering group responsibilities
  • Liaison group responsibilities
  • Line management responsibilities

14.12. Security Culture Development

  • Everyone needs to understand their responsibilities
  • Corporate policy signed off by the CEO sends a strong message
  • Everyone must understand and live by the policy
  • There needs to be constant attention to raising awareness
  • Developing an information security brand is one way to maximise awareness
  • The brand is used in every context of information security management
  • Line managers must set a good behavioural example
  • A ‘no-blame’ culture encourages openness and team-based improvement
  • Sometimes malice and negligence need to be disciplined
  • Reporting of incidents can help to track progress
  • A co-ordinated training programme

14.13. Outsourcing Strategy and Policy Management

  • IT services are often outsourced
  • Non-IT activities are also outsourced
  • Principles for managing the security of outsourced services
  • Concepts of ownership and custody are useful in the outsourcing model
  • Service owners authorise use of the service
  • Data owners authorise use of the data
  • The model works for both internal and external service providers
  • Managing the interface with the outsourced service provider
  • Responsibilities for each party to the arrangement
  • Assurance is provided through the internal audit departments

15. Operational Risk Management

15.1. Introduction to Operational Risk Management

  • SABSA®Matrix cross-reference
  • Risk Magazine
  • Operational risk seen from different perspectives
  • Risk management involves trading off one risk against another
  • Cross-reference toChapter 9
  • Definition of operational risk

15.2. Regulatory Drivers for Operational Risk Management

  • Cleaning up the corporate act
  • Drivers for increased regulation
  • Recent governance regulations
  • Financial reporting transparency
  • Government surveillance
  • Archiving of all corporate communications
  • Representing banking supervision in the G10 countries
  • Central banks and national regulators
  • Harmonisation of national regulations
  • The first Basel Accord addressed credit risk
  • Market risk was included under various amendments
  • Amendment to the capital accord to incorporate market risks
  • The New Basel Accord includes operational risk
  • Supervision and public disclosure of risk management practices
  • Privacy for banking customers
  • Standards for electronic transmission of health care information
  • Information security is explicitly included
  • EU harmonisation of Basel II implementations
  • Standards of governance for listed companies
  • Statement in the annual report of a listed company
  • Turnbull Report: guidance on the Combined Code
  • Problems of transparency for shareholders
  • Improving transparency for shareholders
  • The FSA Integrated Prudential Sourcebook
  • FSA requirements for operational risk management
  • The use of electronic documents in the food and drug industries
  • Compliance mandated for all pharmaceutical firms
  • Creating trust and privacy in electronic documents
  • Computer security and sound business practice
  • Electronic recordkeeping is not mandated, but where it used, compliance with the regulations is mandated
  • Regulation of the civil aviation industry
  • Licensing of people, organisations and aircraft
  • Licensing implies documentation, much of it in electronic format
  • European protection of information held on private individuals
  • Defined concepts
  • The eight principles
  • A major driver for information security

15.3. The Complexity of Operational Risk Management

  • The banking industry as a case study through which to explore the complexity of operational risk
  • Exclusions may seem to be ducking the issue, but by sticking to the simpler areas the accord stands more chance of implementation
  • As new advanced risk-modelling techniques emerge these may lead to more inclusions
  • Incomplete data on the ‘tail’ risks may present a problem — because these are the catastrophic risks that one most seeks to mitigate
  • Computing value at risk
  • Fitting a probability distribution for the frequency of loss events
  • one-year
  • Fitting a probability distribution for the size of losses
  • Using Monte Carlo methods to generate the combined loss distribution
  • Designating expected losses
  • Designating severe and catastrophic losses
  • Basel II capital adequacy requirements
  • The need to collect and collate loss data systematcally
  • Pushing the limits of computational errors – problems in the tail risk areas
  • The problem of silo thinking in enterprise-wide risk management
  • Ambiguity in classifying risks — when is an exclusion not excluded?
  • Different perspectives for different requirements
  • Measuring actual loss events is often of more practical use than attempting to analyse their causes

15.4. Approaches to Risk Assessment

  • Lack of consistent complete loss data makes quantitative assessment difficult
  • Quantitative operational risk data would allow proper risk-adjusted cost calculations
  • Only risk-adjusted cost is a measure of true long-term cost
  • The past is not necessarily a good predictor of the future
  • Operational risk is a black hole in corporate risk accounting
  • The banking industry is concerned about systemic failure caused by operational risk
  • Qualitative methods as a pragmatic approach
  • Business impact assessment
  • Thresholds and bands for impact
  • Various levels of granularity
  • Quantitative methods for business impact assessment
  • Categories of business impact
  • The business impact assessment process
  • Compound probability of an event
  • Issues with statistical methods
  • Unreliable data is a major issue for quantitative methods
  • Operational knowledge and experience is the key to vulnerability assessment
  • Technical vulnerability assessment tools

15.5. Managing Operational Risk

  • Doing business requires risk taking
  • Risk management balances losses and opportunities
  • Risk management means deciding what to do about risks you have identified
  • Corporate governance implies sound risk management
  • The board must have an enterprise risk management framework
  • The ERM framework is all-encompassing
  • Enterprise risk management conceptual model
  • The external threat environment
  • The internal enterprise environment
  • The corporate governance process
  • The risk management process
  • Conceptual architecture of an operational risk management system
  • AS/NZS4360 is the only national standard for risk management
  • de facto
  • ISO standard for risk management terminology
  • Risk management standards from professional bodies
  • The AS/NZS 4360 process is very similar to the SABSA®approach
  • AS/NZS 4360 Step 1: Establish Context
  • Stating business objectives and analysing the enterprise
  • The steps are bound together by ongoing communication, consutaton, monitoring and review
  • The output is fed back as part of the iterative process
  • Fundamental similarity between standards
  • Risk register as the repository of all enterprise risks
  • Example structure for a risk register
  • Assigning ownership of risk is critical to successful risk management
  • Classify risks according to type
  • Keep track of how recently the register has been updated to ensure currency and timeliness
  • The risk register is an information repository that requires its own authorisation and access control
  • Good risk management delivers many benefits

15.6. Risk Mitigation

  • Controls are applied to mitigate risks
  • There different types of control
  • Control decisions should be supported by a cost/benefit analysis
  • Good risk management through the application of controls requires you to seek the middle path

15.7. Risk-Based Security Reviews

  • A risk-based security review of an existing system is similar to carrying out a ‘before the fact’ risk assessment
  • The risk-based assessment process for existing systems
  • Establishing the business requirements for security and control
  • Mapping the business processes
  • Identify risks in business processes
  • Associate the process-embedded risks with the Business Attributes
  • Capture types and severity of business impact
  • Using the Business Attributes Profile to normalise the measurement of impact
  • Assess vulnerabilities
  • Cakulate overal1 risk rating
  • Ratings indicate pass, fail or management decision needed
  • Senior management reporting is through the Business Attributes Profile
  • Colour coding re’, amber or green displays the worst case risk category in the Business Attributes Profile
  • Colour coding red, amber or green displays the proportional spread of risk categories in the Business Attributes Profile
  • Deciding upon risk mitigation
  • Map Risk High and Proportional Risk to Business Attributes profile
  • Presenting the risk mitigation programme to Senior Management

15.8. Risk Financing

  • Risks that remain unmitigated must be financed
  • Risk financing is achieved through insurance
  • Risk acceptance is necessary to provide a business opportunity
  • Different organisations have differing levels of risk appetite or tolerance
  • Insurers make a profit because of the statistical spread of loss events
  • The insured takes some limited risk through the excess of the insurance policy
  • Risk appetite is influenced by the spread of risks experienced by a given organisation
  • Insurance is used when the spread of risks is poor and there is high concentration of risk that needs to be financed
  • Types of insurance vary according to business need
  • Self-insurance is applicable where there is a good spread of risks
  • The cost of doing business is the first level if self-insurance
  • A premium excess is a type of self-insurance
  • Capital allocations are made against the potential for major catastrophic risk events
  • Self-owned insurance companies offer captives
  • Captives can also be rented
  • Finite insurance is based on the time value of money
  • There are also a number of exotic insurance products based on the capital markets
  • Insurance has some shortcomings
  • The definition of property can be a difficulty when insuring information confidentiality
  • Indirect or consequential losses are often excluded
  • Aggregation of losses over many clients can bring down an insurer
  • New threats are difficult to subject to actuarial analysis
  • Insurance tends to lag behind the emergence of new risks
  • In an increasingly knowledge-based economy conventional insurance may not be enough

15.9. The Risk Management Dashboard

  • Dashboards are used by managers to monitor current status of the business
  • Risk management dashboards are needed at all levels of management
  • The SABSA®Business Attributes Profile can be used directly as a risk reporting dashboard
  • Use traffic light colours and click on for drill-down
  • The drill-down through hyperlinks provides high usability
  • Ongoing monitoring and collection of data allows you to calibrate the effectiveness of controls
  • Many organisations apply a baseline control standard
  • Multiple dashboard views of the risk profile
  • XBRL is an XML-based business reporting language
  • Specialised sub-sets of XBRL are emerging as an interface standard for risk reporting

16. Assurance Management

16.1. Assurance of Operational Continuity

  • SABSA®Matrix cross-reference
  • Operational continuity is related to the SABSA®Business Attributes Profile
  • Assurance is provided by inspection of some sort
  • Detailed discussions follow

16.2. Organisational Security Audits

  • A summary of the audit and review programme
  • There are external standards that are used as audit frameworks
  • CobiT®is from the IT Governance Institute
  • CobiT®addresses the broad issues of ICT governance
  • CobiT®is mature and represents international opinion
  • The CobiT®document set
  • Using the ISO/IEC 17799 ISMS as an audit standard
  • ISO/IEC 17799:2000 is a management standard, not a technical standard
  • BS 7799 in two parts
  • ISO/IEC 17799 will not move to integrate Part 2
  • The process for managing the ISMS
  • The PDCA model
  • BS 7799-2 control objectives and controls
  • BS 7799-2 implementation guidance
  • Cross references to other management systems
  • Internal ISMS auditing
  • Qualified auditors for CobiT®and BS 7799
  • The CISA qualification
  • Alignment of CobiT®and CISA
  • Qualified BS 7799 ISMS auditors
  • The ISMS audit
  • ISMS statement of applicability
  • Grades of ISMS auditor
  • Criteria for becoming qualified as an ISMS auditor

16.3. System Security Audits

  • Security auditing defined
  • Three types of auditing activity
  • Security audit strategy
  • Auditing against accepted standards
  • Creating the policies and standards —Chapter 14

16.4. System Assurance Strategy

  • Balancing the risks: speed versus assurance
  • Risks conflict here, as in many other areas
  • Finding the balance: risk management
  • Problems in small ICT departments
  • Development control strategy
  • High-level software development lifecycle
  • Code flows from one stage to the next
  • It is impossible to test your own programs
  • Failed code goes back to the beginning
  • Emergency fixes need to be supported with a special process
  • Regression testing
  • Vendor security patches — emergency fix or not?
  • Risks and costs are always being balanced
  • Production control strategy
  • Multi-tiered strategy
  • Malicious code defined
  • Control techniques
  • Control strategy
  • Acceptable use defined
  • Unacceptable use examples
  • Content management strategy

16.5. Functional Testing

  • Functional testing defined
  • Black box testing
  • White box testing
  • Using black box testing
  • Regression testing
  • Verifying the absence of unwanted functionality is difficult
  • Key elements of a testing strategy
  • Multi-phased functional testing
  • Testing of each individual software module
  • Part of the code development process – debugging as you go
  • Exhaustive white box testing approach at the unit level
  • A testing infrastructure is needed
  • Testing the integration of already tested modules
  • Integration testing needs to be planned along with the integration itself
  • Validating the functionality of the system as a whole
  • Ensuring that system validation test development is future-proofed
  • Complexity limits the feasibility of exhaustive testing
  • System performance validation is an important part of system testing
  • Before hand-over to the users, they need to do their own tests
  • Planning of the UAT is of critical importance to its success
  • Classifying problems identified during UAT
  • User sign-off and acceptance
  • Before acceptance of a system into the operations environment, the operations group must test that it is operable
  • OAT is concerned only with operability, not business functionality
  • Operational sign-off and acceptance
  • Software QA defined
  • Good quality software
  • Other aspects of software QA
  • CMMI to benchmark development process maturity

16.6. Penetration Testing

  • Penetration testing for dynamic systems
  • Up-to-date expertise is required
  • Levels of penetration testing
  • Developing a penetration testing strategy
  • Guidelines for the Management of IT Security
  • Software Verification and Validation: A Practitioner’s Guide

17. Security Administration and Operations

17.1. Introduction to Security Management and Administration

  • SABSA®Matrix cross-reference
  • Chapter 11cross-reference
  • Prevention brings together many threads
  • Routine operational management is also required
  • The basic operational and administrative framework is described in ISO/IEC 17799:2000

17.2. Managing the People

  • Information security is part
  • Personnel management practices can protect against emloying the wrong types of people
  • Segregating duties and implementing dual control increases security
  • Dual control has many ways of being implemented
  • Fraud prevention measures often apply dual control
  • Delrgation to deputies protects business continuity
  • Independent monitoring or auditing is one solution
  • Beware of collusion amongst close friends or relatives
  • Keeping a fraud hidden often needs constant attention
  • Enforced annual leave is a good way to reveal ongoing frauds

17.3. Managing Physical and Environmental Security

  • Physical security is based upon enclosed areas with impenetrable perimeters
  • Authorised access through the perimeter requires suitable controlled access points
  • Segregation of duties must be applied to guarding activities
  • Access is allowed only by authorised personnel
  • Equipment and services require protection from malicious tampering
  • Procedures are needed for equipment maintenance and removal
  • Theft is controlled by ensuring that all valuable items are locked away

17.4. Managing ICT Operations and Support

  • All key operating procedures should be documented in detail
  • Change control maintains the stability of the operating environment
  • Change management differs from change control
  • Change management applies to the management of major changes to working practices
  • Change management encompasses many issues
  • Change management must be integral within information security management
  • Many diverse types of incident need to be handled
  • Incident impact assessment is the first step
  • Incident management is largely an operational process
  • The procedures for incident handling
  • Potential conflict between incident management and problem management
  • Good practice requires separation of system development and systems operations
  • Capacity planning has several areas of application
  • Capacity planning deals The with future requirements
  • Lack of capacity leads to business interruptions
  • Acceptance testing requires both UAT and OAT
  • Refer toChapter 16
  • Ongoing release management
  • Strategy for malicious software protection
  • Refer toChapters 11and16
  • Data backup enables disaster recovery
  • Backup strategy
  • Backups require testing
  • Managing backup media
  • Operator logs record operator activity
  • Operator log specifications
  • Media types
  • Media handling procedures
  • Ensure that equipment for media support is still available
  • Network operations procedures
  • Controlling the use of software licences
  • Processes for controlling information exchange
  • Information exchange mechanisms
  • Examples of outsourced ancillary services
  • Controlling on-site contractor personnel
  • Access management processes
  • Processes for managing outsourced ICT operations
  • Issues to be addressed
  • The asset register
  • Configuration management defined
  • Benefits of asset management and configuration control
  • The service level agreement explained
  • Change control over the SLA
  • Addressing operational security in the SLA
  • Formal agreements are the safety net
  • Success depends upon a good relationship
  • Goals of relationship management
  • Techniques for relationship management
  • Training in skills and procedures
  • Keeping the business informed
  • Types of reporting
  • Supporting service development and improvement
  • Tailoring the reports to the needs of the recipient
  • Logging significant events for audit purposes
  • Event types
  • Event log formats
  • Event log storage
  • Event log archiving
  • Tools for event log management
  • A detailed discussion is beyond the scope of this book
  • The forensics process has certain key goals
  • Forensic investigation is best carried out by trained and experienced experts
  • Problem management seeks to eradicate causes
  • There can be conflicts with incident management
  • Two main types of problem management
  • The problem management process
  • Co-ordination of user-related problems
  • Help desk support characterises the user perception of service levels
  • Specialised technology support is an important part of the help desk infrastructure
  • Three-level support
  • Help desk support is often focused upon security-related user problems
  • Dynamic setting up and configuration of components in complex distributed processing environments
  • The provisioning process
  • Security provisioning as a sub-set
  • Budget management for operational services

17.5. Access Control Management

  • Refer toChapters 10and14
  • Business requirements drive access policies
  • Operational management and administration of user access privileges
  • The user access management process
  • Use of raw system-level accounts is best avoided
  • System-level privileges should be encapsulated to restrict activities under routine circumstances
  • Raw system privilege is reserved for emergencies only
  • Cultural barriers often obstruct professional considerations
  • Refer toChapter 12
  • Types of third-party access
  • Legitimate third-party access
  • Principles of managing third-party access
  • Third-party access policy in relation to the policy architecture

17.6. Compliance Management

  • Specific information security compliance requirements
  • Elements of compliance strategy
  • Governments exert control over cryptographic technology
  • Cryptographic technology is treated in the same way as weapons technology
  • Complying with regulations requires detailed attention
  • Important international agreements
  • This issue must be proactively managed

17.7. Security-Specific Operations

  • Refer toChapters 10and11
  • Processes for managing security mechanisms
  • Processes for managing security components
  • Processes for user management

17.8. Managed Security Services

  • Outsourcing the management of certain operational security services
  • Outsourcing strategy is discussed inChapter 10
  • Benefits of outsourcing managed security services
  • Issues to be addressed
  • Strategic principles for outsourcing managed security services
  • Who is responsible and who is liable?
  • Responsibilities and liabilities

17.9. Product Evaluation and Selection

  • Procurement of security products needs careful evaluation
  • ITTs are often badly written
  • A poor ITT makes it difficult for a vendor to make a good bid
  • More effort should be invested in getting the ITT right
  • First understand what the marketplace has to offer
  • If necessary get some help from consultants to write the ITT
  • RFIs and RFPs are more flexible than tenders
  • Selection criteria must be clear from the outset
  • Business Attributes can be used to construct an evaluation plan
  • Weighted scoring can be applied
  • Also applicable to evaluating outsourced service delivery

17.10. Business Continuity Management

  • BCM is an important aspect of operational management
  • A process-centric approach is most logical way to tackle business continuity management
  • Meta-processes in large enterprises
  • Top-down business process analysis
  • Achieving up-to-date process models with delegated ownership requires a sophisticated software tool
  • The BCM process
  • Checklist of BCM activities
@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 20, 2021

image

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment