Sine Qua Non. Jennifer Bayuk, CISA, CISM, CGEIT Independent Information Security Consultant Jennifer L Bayuk LLC 1

Transcription

1 Sine Qua Non Jennifer Bayuk, CISA, CISM, CGEIT Independent Information Security Consultant Jennifer L Bayuk LLC 1

2 Security Metrics Security Goals Security Process Information and LAN Systems Environment Security Performance or Goal Indicators Jennifer L Bayuk LLC 2

3 Map to Program Objectives Maps linking metrics to InfoSec program objectives are based on the relationship of a process to an objective and are defined by the attributed of each people, process, or technology component. Maps may be based on any data source, including: Logs Configurations Services Tasks Surveys Jennifer L Bayuk LLC 3

4 Types of Metrics A - Activity Related Metric: Metrics that Measure Work Activity T - Target Related Metric: Metrics that Have a Measurable target (i.e. No Missing Logs) R Remediation Metric: Metrics that Show Progress toward a Goal M - Monitor Related Metric: Metrics that Monitor Processes Jennifer L Bayuk LLC 4

5 Example A Number of calls related to password reset. T Percent of user records that have a security identification code on file R Number of user accounts hijacked via unauthorized password reset. M For each staff member, percent of password reset calls where staff followed (and/or documented) process. Jennifer L Bayuk LLC 5

6 Focus on Target: What is 100% User: System: Inventory Identity Management Hardware Application: Component Mapping Data: Information Classification No target metrics have credibility unless there is a definition of 100%. Jennifer L Bayuk LLC 6

7 Focus on Applications Source code to component Component to software configuration Component to hardware platform Component to network service Jennifer L Bayuk LLC 7

8 Application components APPLICATION Web Services Authentication Web2.0 Desktop CODE BASE Message Bus GUI Data Services REUSABLE SOFTWARE Load Balancer Web Server Database CONTAINER COMPONENTS Operating Sys Network Monitoring INFRASTRUCTURE COMPONENTS Jennifer L Bayuk LLC 8

9 Component to software config Web Services Custom Source Code Authentication Interface Database Interface Message Bus Interface Web Server Config Jennifer L Bayuk LLC 9

10 Component to hardware platform Network Monitor Load Balancer Web Server Web Service GUI Web Server Web Service GUI Auth Services Database Interface Auth Interface Database Interface Server 1 Server 2 Database Interface Server 3 Web Services Compute Module Message Bus Interface Server 4 Message Bus Message Bus Interface Server 5 Database Management System Server 6 Jennifer L Bayuk LLC 10

11 Virtual Machine Complications Multiple Virtual Network Addresses Web Services Operating System Web Services Operating System Auth Services Operating System Virtual OS Config Utilities Operating System of Virtual Device Points of administration. Admin Console Jennifer L Bayuk LLC 11

12 Potential Data Sources Enterprise Management System Configuration Management Database Application Inventory Jennifer L Bayuk LLC 12

13 Enterprise Management System IP centric asset inventory OS and Infrastructure focused Requires coordinated data entry or feeds to align with business process Typically snmp, may be client-server-based. Jennifer L Bayuk LLC 13

14 Configuration Management DB Operations focused Provides relationships between configuration items Requires coordinated data entry or feeds to align with asset inventory and/or business process CPU DISK PROCESS X231 HXL2Z GZETS CPU DISK PROCESS X231 HXL2Z GZETS The system shall provide an administrator with the capability to monitor the state of availability of critical system resources (e.g., overflow indication, lost messages, and buffer queuesthe system shall prevent buffer overflow conditions that allow for unauthorized access. 3For software and data created or modified in the system, the system shall provide an administrator with the capability to retrieve the user-id along with the date and time associated with that creation or modification. Typically used to support operations and service desk. Jennifer L Bayuk LLC 14

15 Application Inventory Development focused Provides accountability for maintenance of software Requires coordinated data entry or feeds to align with asset inventory Typically used to justify IT Spend to Business Customers. Jennifer L Bayuk LLC 15

16 Data Source Consolidation Application Inventory APPLICATION COMPONENT data Configuration Management Database COMPONENT ASSET data Enterprise Management System ASSET data UNIVERSE METRICS Jennifer L Bayuk LLC 16

17 Link Indexes to Security Data Application Inventory Configuration Management Database Enterprise Management System APPLICATION COMPONENT ASSET COMPONENT ASSET data data data UNIVERSE From Data Consolidation slide Security Review Database Control Attributes APPLICATION IMPACT BCP Data Accountability Attributes COMPONENT IT Manager Identity Management Database Support team Common Indexes cannot be expected to exist in different realms and different management domains. Expectations for linkage must be articulated. Jennifer L Bayuk LLC 17

18 Potential Security Process Links 1. Security Software Configuration 2. Change Authorization Correlation 3. Security Review or Audit Scope 4. Information Classification 5. Outsourcing Arrangements 6. Application Impact 7. Business Recovery Objectives 8. System Development Projects Jennifer L Bayuk LLC 18

19 Potential accountability links 1. Line of Business 2. Development Team Acronym 3. IT Manager Realm of Responsibility 4. Support Escalation Chain 5. Identity Management System Jennifer L Bayuk LLC 19

20 Typical Gaps 1. Application Index or Acronyms e.g.: without associated equipment 2. Vendor Software Release Identifier e.g.: not associated with any application 3. Network IP Address e.g.: with no equipment serial numbers 4. Equipment Serial Number e.g.: not associated with any vendor Jennifer L Bayuk LLC 20

21 Conclusion Not only is it possible to specify minimum datasets that are required to maintain security, it is a necessary (though not sufficient) requirement to produce any other security metric. Jennifer L Bayuk LLC 21