Module-2 Security Management

Chapter 2: Security Laws and Standards

1. Security Assurance
2. Security Laws
3. IPR
4. International Standards
5. Security Audit
6. SSE-CMM / COBIT

4. International Standards:
 Cybersecurity standards are techniques set to published materials that attempt to protect
the cyber environment of a user or organization.
 This environment includes users, networks, devices, all software, and information in
storage, applications, services, and systems that can be connected directly or indirectly to
networks.
 The principal objective is to reduce the risks, including prevention or mitigation of
cyber-attacks.
 TC (Technical Committee) CYBER is responsible for the standardization of Cyber
Security internationally and for providing a center of relevant expertise for other ETSI
committees.
 The committee is looking in particular at the security of infrastructures, devices, services
and protocols, as well as security tools and techniques to ensure security.
 It offers security advice and guidance to users, manufacturers and network and
infrastructure operators.
 Its standards are freely available on-line.
 ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best
practice for an information security management system (ISMS). Accredited certification
to ISO 27001 demonstrates that an organization is following international information
security best practices.

5. Security Audit (Risk Assessment)

 A security audit is a systematic evaluation of the security of a company's information

system by measuring how well it conforms to a set of established criteria.
 Scrutiny of an organization's physical, financial and computer access control procedures
and systems to determine its level of vulnerability to attacks or intrusions from
unauthorized personnel or criminals.
 Vulnerability is a weakness which allows an attacker to reduce a system's information
assurance.
 Audit can be done by Manual assessment & Automated assessment.
 Automated assessments include system generated audit reports.
Why do a Security Audit?

• Information is power
• Expectations
• Measure policy compliance
• Assessing risk & security level
• Assessing potential damage
• Change management

When to audit?
• Emergency!
• Before prime time
• Scheduled/maintenance

Who
Risk assessment committee, co-chaired by a high-level administrator and the senior IT
staff member.

How to do audit?

1. Asset Identification and Classification (Defining the Scope of Your Audit: Creating
Asset Lists)

List of common sensitive assets:

1. Computers and laptops

2. Routers and networking equipment
3. Printers
4. Cameras, Data - sales, customer information, employee information
5. Company smartphones/ PDAs
6. regular phone call recordings and records
7. Email
8. Log of employees daily schedule and activities
9. Web pages, especially those that ask for customer details
10. Web server

2. Threat and Vulnerability Assessment

 This is one of the most important steps in the risk analysis process. Once all assets
have been classified, list potential threat sources for each one.
 Threat means "any circumstance or event with the potential to cause harm to an
IT system"
 Threat list:
 i. Computer and network passwords.
ii. Physical assets
iii. Data backups.
iv. Logging of data access.
v. Access to sensitive customer data, e.g., credit card info.
vi. Long-distance calling.
vii. Emails.

3. Evaluation of Controls
 Once assets, threats, and vulnerabilities have been identified, evaluate potential
countermeasures.
 These should be thought of in terms of whether they prevent, detect, or respond to
attacks
4. Analysis, Decision, and Documentation
 The final step is to analyze your controls and then make decisions about which
ones you want to implement.
 Begin with a cost-benefit analysis.
 Estimate costs for all suggested safeguards to mitigate a risk.
Audit Tools:

Sr. Tool Type

No
1 COPS/Tiger Change/Intrusion Detection
2 Crack Password cracking
3 L0phtCrack Password cracking
4 ISS Suite - Port scanner, network
information
5 nmap Port Scanner
6 tcpdump Network Monitoring
7 sniffit Network Monitoring
8 CyberCop Security Scanner Password cracking,
network information
9 TripWire Change/Intrusion Detection

6. SSE-CMM / COBIT

 Systems Security Engineering Capability Maturity Model (SSE-CMM)

o tool for performance measurement and evaluation
 Balanced Scorecard (BSC) Framework
 control objectives for Information Technology (COBIT)
 Integrated framework that addresses the need for organizational information security
requirements.
 The COBIT framework is published by the IT Governance Institute and the Information
Systems Audit and Control Association (ISACA).
  The goal of the framework is to provide a common language for business executives to
communicate with each other.
 COBIT aims "to research, develop, publish and promote an authoritative, up-to-date,
international set of generally accepted information technology control objectives for day-
to-day use by business managers, IT professionals and assurance professionals.
 Also alignment between business, IT and information security strategies.
 In 1996, the first edition of COBIT was released.
 COBIT 5, the latest iteration of the framework.

Benefits of COBIT

 improve and maintain high quality information to support business decisions

 use IT effectively to achieve business goals
 ensure IT risk is managed effectively
 ensure organizations investments in IT
 Achieve compliance with laws, regulations and contractual agreements.