Information Security

Chapter #4
Planning for Security
Agenda

• Introduction

• Information Security Planning and Governance

• Information Security Policy, Standards, and Practices

• The Information Security Blueprint

• Security Education, Training, and Awareness Program

• Continuity Strategies
Introduction
• An organization’s information security effort succeeds only when it
operates in conjunction with the organization’s information security
policy.

• An information security program begins with policy, standards, and

practices, which are the foundation for the information security
architecture and blueprint.
Introduction

• All smallest organizations engage in some planning: strategic

planning to manage the allocation of resources and
contingency planning to prepare for the uncertainties of
the business environment.
Information Security Planning and Governance

Key Terms:

• Goals: Sometimes used synonymously with objectives; the desired

end of a planning cycle.

• Strategic plan: The documented product of strategic planning; a

plan for the organization’s intended strategic efforts over the next
several years.
Information Security Planning and Governance

Key Terms:

• Strategic planning: The actions taken by senior management to

specify the long-term goals and objectives of the organization, to
plan its future direction, actions, and efforts, and to estimate and
schedule the resources necessary to achieve those goals and
objectives.
Cont.
• Strategic planning: Strategic planning should guide organizational
efforts and focus resources toward specific, clearly defined goals.

• After an organization develops a general strategy, it generates an

overall strategic plan by extending that general strategy into plans
for major divisions.
Planning Levels

• Tactical plan: The documented product of tactical planning; a plan for

the organization’s intended tactical efforts over the next few years.

• Tactical planning: The actions taken by management to specify the

intermediate goals and objectives of the organization in order to obtain
specified strategic goals, followed by estimates and schedules for the
allocation of resources necessary to achieve those goals and objectives.
Planning Levels
• Operational plan: The documented product of operational planning; a
plan for the organization’s intended operational efforts on a day-to-day
basis for the next several months.

• Operational planning: The actions taken by management to specify

the short-term goals and objectives of the organization in order to
obtain specified tactical goals, followed by estimates and schedules for
the allocation of resources necessary to achieve those goals and
objectives.
Planning Levels

• Strategic plans are used to create tactical plans, which in turn are
used to develop operational plans.

• The chief information security officer (CISO) and security managers

use the tactical plan to organize, prioritize, and acquire resources
necessary for major projects and to provide support for the overall
strategic plan.
Planning Levels

• Managers and employees use operational planning derived

from tactical planning to organize the ongoing, day-to-day
performance of tasks.
Information Security Governance

Terms:

• Governance: “The set of responsibilities and practices exercised by

the board and executive management with the goal of providing
strategic direction, ensuring that objectives are achieved, ascertaining
that risks are managed appropriately and verifying that the enterprise’s
resources are used responsibly.”
Information Security Governance

Terms:

• Information security governance: The application of the principles

of corporate governance to the information security function.

• The information security group’s leadership monitors and manages

all of the organizational structures and processes that safeguard
information.
 Challenge ☺

Classwork:

Explain in your own words the difference

between Strategic plan and Strategic
planning
Information Security Policy, Standards, and Practices

• Policy: A set of principles or courses of action from an

organization’s senior management intended to guide decisions,
actions, and duties of constituents.

• Standard: The normal, targeted, or desired level to which a behavior

or action must be performed.
Information Security Policy, Standards, and Practices

• Guidelines: Within the context of information security, a set of

recommended actions to assist an organizational stakeholder in
complying with policy.

• Procedures: Within the context of information security, a set of

steps an organization’s stakeholders must follow to perform a
specified action or accomplish a defined task.
Policy should never contradict law:
• Policies direct how issues should be addressed and how technologies
should be used.

• Policies do not specify the proper operation of equipment or software—

this information should be placed in the standards, procedures, and
practices of users’ manuals and systems documentation.

• Policy must be able to stand up in court, if challenged; and policy must be

properly administered through dissemination and documented acceptance.
Information Security Blueprint
The Information Security Blueprint
• Information security blueprint: The basis for all security program
elements; a scalable, upgradeable, comprehensive plan to meet the
organization’s current and future information security needs.

• Information security framework: An outline or structure of the

organization’s overall information security strategy that is used as a road
map for planned changes to its information security environment; often
developed as an adaptation or adoption of a popular methodology, like
NIST’s security approach or the ISO 27000 series.
The Information Security
Blueprint Framework
examples.
The Information Security Blueprint | Security Architecture

Design of Security Architecture:

Defense in depth: A strategy for the protection of information assets

that uses multiple layers and different types of controls (managerial,
operational, and technical) to provide optimal protection.

Redundancy: Multiple types of technology that prevent the failure of

one system from compromising the security of information.
 Design of Security Architecture:

Defense-in-depth:
Strong Deploy
Firewalls Encryption

Vulnerability
Multi-factor Implementing
assessment
Authentication EDR solutions
b/n WS & DB
(MFA)
The Information Security Blueprint | Security Architecture
Security Education, Training, and Awareness Program

• Security education, training, and awareness (SETA): A managerial

program designed to improve the security of information assets by
providing targeted knowledge, skills, and guidance
for organizations.

• The SETA program is the responsibility of the CISO and is a control

measure designed to reduce incidents of accidental security breaches
by employees.
Security Education, Training, and Awareness Program
Security Education, Training, and Awareness Program

• Employee errors are among the top threats to information

assets, so it is well worth developing programs to combat
this threat.
End Session
Continuity Strategies
Key Terms:

• Adverse Event: An event with negative consequences that could

threaten the organization’s information assets or operations.

• Business Continuity Plan (BC plan): The documented product of

business continuity planning; a plan that shows the organization’s
intended efforts if a disaster renders the organization’s primary
operating location unusable.
Continuity Strategies
• Business continuity planning (BCP): The actions taken by
senior management to specify the organization’s efforts if a disaster
renders the organization’s primary operating location unusable.

• Contingency Plan: The documented product of contingency

planning; a plan that shows the organization’s intended efforts in
reaction to adverse events.
Continuity Strategies

• Contingency Planning (CP): The actions taken by senior

management to specify the organization’s efforts and actions if an
adverse event becomes an incident or disaster.

• This planning includes incident response, disaster recovery, and

business continuity efforts, as well as preparatory business impact
analysis.
• Disaster: An adverse event that could threaten the viability of the entire
organization. A disaster may either escalate from an incident or be initially
classified as a disaster.

• Event: Any occurrence within the organization’s operational

environment.

• Incident: An adverse event that could result in loss of an information

asset or assets, but does not currently threaten the viability of the entire
organization.
Terms| Cont.

• Incident response plan (IR plan): The documented product of

incident response planning; a plan that shows the organization’s
intended efforts in the event of an incident.

• Incident response planning (IRP): The actions taken by senior

management to specify the organization’s processes and procedures
to anticipate, detect, and mitigate the effects of an incident.
Cont.

A key role for all managers is contingency planning (CP)

• Various types of contingency plans are available to respond to events,

including incident response plans, disaster recovery plans, and business
continuity plans.

• Plans for incident response, disaster recovery, and business continuity

are components of contingency planning, as shown in Figure 4-12.
CP includes incident
response planning (IRP),
disaster recovery planning
(DRP), and business
continuity planning (BCP),
in preparation for adverse
events that become
incidents or disasters.
Continuity Strategies | Contingency Planning (CP)

Incident Response Planning:

• Incident response planning includes the identification and

classification of an incident and the response to it.

• The IR plan is made up of activities that must be performed when an

incident has been identified.
Continuity Strategies | Contingency Planning (CP)

• If an action that threatens information occurs and is completed, it is

classified as an incident.

Adverse events are classified as incidents if they have the following

characteristics:

1. They are directed against information assets.

2. They could threaten the confidentiality, integrity, or availability of

information resources.
Continuity Strategies | Contingency Planning (CP)

• Incident response planning focuses on detecting and

correcting the impact of an incident on information assets.
• IR is more reactive than proactive, with the exception of
the planning that must occur to prepare IR teams to react to
an incident.
Continuity Strategies | Contingency Planning (CP)

• IR consists of the following four phases:

1. Planning:
2. Detection
3. Reaction
4. Recovery
Continuity Strategies | Contingency Planning (CP)

• IR consists of the following four phases:

1. Planning:
These plans must be properly organized and stored to be available
when and where they are needed, and in a useful format.

2. Detection:

• Incident classification: The process of examining an incident

candidate and determining whether it constitutes an actual incident.
Continuity Strategies | Contingency Planning (CP)

3. Reaction

• Incident reaction consists of actions outlined in the IR plan that guide

the organization in attempting to stop the incident, mitigate its
impact, and provide information for recovery.

• Several actions must occur quickly, including notification of key

personnel and documentation of the incident.
Continuity Strategies | Contingency Planning (CP)

3. Reaction

Terms:

Alert message: A scripted description of the incident that usually

contains just enough information so that each person knows what
portion of the IR plan to implement without slowing down the
notification process.
Continuity Strategies | Contingency Planning (CP)

3. Reaction

Terms:

Alert roster: A document that contains contact information

for people to be notified in the event of an incident.
Continuity Strategies | Contingency Planning (CP)

Reaction | Incident Containment Strategies:

• The first priority of incident reaction is to stop the incident or contain

its scope or impact.

• The ultimate containment option, which is reserved for only the most
drastic scenarios, involves a full stop of all computers and network
devices in the organization. This step is taken only when all control of
the infrastructure has been lost.
Continuity Strategies | Contingency Planning (CP)

Reaction | Incident Containment Strategies:

• The bottom line is that containment consists of isolating affected

channels, processes, services, or computers and stopping the losses.

• Taking down the entire system, servers, and network may accomplish
this objective. The incident response manager, with the guidance of
the IR plan, determines the length of the interruption.
Continuity Strategies | Contingency Planning (CP)

4. Recovery

• Once the incident has been contained and control of the systems is
regained, the next stage of the IR plan is incident recovery.

• The organization must assess the full extent of the damage to

determine how to restore the system to a fully functional state.
Continuity Strategies | Contingency Planning (CP)

4. Recovery

Terms:

• After-action review: A detailed examination and discussion of the

events that occurred, from first detection to final recovery.

• Computer forensics: The process of collecting, analyzing, and

preserving computer-related evidence.
Continuity Strategies | Contingency Planning (CP)

4. Recovery

Terms:

• Evidence: A physical object or documented information that proves

an action occurred or identifies the intent of a perpetrator.

• Full backup: A complete backup of the entire system, including all

applications, operating systems components, and data.
Recovery
Full recovery from an incident requires the following actions:

1. Identify the vulnerabilities that allowed the incident to occur and

spread. Resolve them.

2. Address the safeguards that failed to stop or limit the incident.

3. Evaluate monitoring capabilities if they are present. Improve their

detection and reporting methods or install new monitoring
capabilities.
Recovery

4. Restore the data from backups.

5. Restore the services and processes in use. Compromised services

and processes must be examined, cleaned, and then restored.

6. Continuously monitor the system. If an incident happened once, it

can easily happen again.

7. Restore confidence to the organization’s communities of interest.

Continuity Strategies | Contingency Planning (CP) | IR

• Before returning to routine duties, the IR team must conduct an after-

action review or AAR.

• All key players review their notes and verify that the IR
documentation is accurate and precise.

• All contingency planners live by the following words: “plan for the
worst and hope for the best”.
End Chapter 4