Editor's note

Recommendations

Info

An Introduction to the NIST Risk Management Framework This article will introduce the NIST Risk Management Framework. It will cover the steps of system categorization, the selection of security controls, the implementation of the selected controls, the assessment of control implementation, and the system authorization process. Creating an effective information security program can be a daunting task. If you are lucky, you work for a company with an existing security program, clearly defined security mandates, and support from senior management. But, what do you d o if you are given the task of creating a security program for your organization? This article will guide you through the process of creating an effective security program using the NIST risk management framework. Even if you are not directly responsible for creating a security program, you may find it helpful to understand how security programs are created and why certain items are prioritized by auditors. It seems like information security is in the news on a daily basis. We’ve all seen the news stories about companies that have been breached. The motives for the breaches may range from financial gain, industrial espionage, revenge against a perceived injustice, or the political goals of terrorists. In response to the many breaches, new laws are being passed mandating protection of certain types of information. Even if your organization is not directly impacted by new statues, your organization may be forced to create an information security program to comply with customer requirements or in response to a security incident. External forces requiring the creation of a security program are not enough to ensure a successful program; you need the support and commitment of senior starterkit 02/2011(2) SOLUTIONS management for your efforts to succeed. If management is being forced to create a security program, they may resent the requirement and provide minimal support. It is quite possible the first challenge you may face is overcoming the resistance of management. Management usually focuses on increasing revenues and reducing costs. It is only natural for them to view an information security program as an added cost and a productivity barrier to the business. If you are able to demonstrate how a security program can not only meet your compliance requirements but, add value to the business, you will gain more support for your efforts. Your first task is to understand the goals of the organization. Once you understand the organizational goals, it is helpful to frame communications with management in the terms important to them. Security is usually discussed in terms of confidentiality, integrity, and availability, often referred to as the CIA triad. Improved integrity can reduce the costs associated with rework and correction. Improved availability can increase revenues and improve customer satisfaction. Improved confidentiality can protect your intellectual property. An information security program can also improve operational consistency as part of an organizational risk management program. After obtaining the support of senior management, a security standard should be chosen. There are Page 36 http://pentestmag.com
several security standards in widespread use. The most common standards are ISO27001, COBIT, and NIST. The International Organization for Standardization (ISO) [1] and the International Electrotechnical Commission (IEC) [2] created the ISO27001 [3] standard. This global standard is used heavily in Europe. The Information Systems Audit and Control Association (ISACA) [4] created the Control Objectives for Information related Technology (COBIT) [5] that is widely used for compliance with the US Sarbanes Oxley Act (SOX) requirements for US publicly traded companies. The National Institute of Standards and Technology (NIST) has developed a series of standards that are published at the Computer Security Resource Center [6]. The NIST standards are widely used by US government agencies. This article will discuss using the NIST Risk Management Framework but, the basic steps also apply to the other frameworks. After selecting a security framework, the system boundaries and information assets should be identified. It is easy to overlook information that is not contained in the computer systems such as paper forms. All information should be considered, even items not directly covered by regulations. For example, if your organization is a health care company, it would be easy to focus solely on the patient health information but, overlook the employee payroll information, the customer billing data, or the integrity of the financial systems. Once the information assets have been identified, you need to determine the business unit that owns the information resource. Meetings should be scheduled with the senior manager in charge of the unit so you can perform a business impact analysis (BIA). A business impact analysis will attempt to estimate the mission impact of failure to meet the security objectives of confidentiality, integrity, and availability. NIST Federal Information Processing Standards Publication 199 (NIST FIPS Pub 199 [7]) recommends classifying systems into the categories of Low, Medium, and High impact. A system is considered low impact if the loss of confidentiality, integrity, or availability has a limited adverse effect on the organization. The system is considered medium impact if the loss of confidentiality, integrity, or availability has a severe impact on the organization. The system is considered high impact if they loss of confidentiality, integrity, or availability would have a catastrophic effect on the organization. When evaluating a system, you should consider confidentiality, integrity, and availability separately. The overall score of the asset is the highest rating of the three categories. starterkit 02/2011(2) A rating of not applicable should not be used since each system should have a low water mark of business impact. As an example, let’s consider a public facing webserver for a movie theater that advertises the currently showing films and show times. The information on the website is expected to be publicly available so the business impact for disclosure is considered low. Since the website is frequently updated with new movies and show schedules, website defacement or inaccurate information would be quickly corrected and result in a low business impact for integrity. Since many patrons of the movie theater check the website for movies and schedules when considering attending the movie, a loss of availability for several weeks could have a catastrophic impact on the business resulting in a rating of high impact for availability. The highest score of the confidentiality, integrity, and availability categories is high so the overall score of the system is high. It is important when characterizing the impact level of the systems to evaluate both user data as well as system data. System information could include password files, encryption keys and certificates, authenticated sessions, etc. Instead of focusing entirely on the individual system, the system should be evaluated in the context of the overall enterprise. For example, a low impact system could be used to compromise a higher impact system if network segmentation and firewall rules allow an attacker to pivot in the network or provide other resources for an attacker. The preliminary categorization of the system should be adjusted to reflect any legal or contractual obligations, the organizational environment, organizational mission and goals, and data sharing requirements. The information obtained through the system characterization will be used for several activities in the development of a security program. Business continuity and disaster recovery planning activity needs the business impact analysis (BIA) to determine the maximum tolerable downtime (MTD) used to establish the recovery time objectives (RTO). Enterprise risk management needs the BIA to identify resources that need to be protected during the enterprise risk assessment process. Capital planning needs the BIA to properly allocate resources when budgeting. Enterprise architects and system designers need the BIA to align technical initiatives with business priorities. Vendor management processes need a BIA to define data protection requirements when sharing data and interconnecting systems. After categorizing the security level of the information asset, appropriate controls should be considered. The Page 37 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35: If we have made an in-depth risk an
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?