Organizational Asset

Information Security Essentials for IT Managers

Albert Caballero , in Computer and Information Security Handbook, 2009

Publisher Summary

Information security involves the protection of organizational assets from the disruption of business operations, modification of sensitive data, or disclosure of proprietary information. The protection of this data is usually described as maintaining the confidentiality, integrity, and availability (CIA) of the organization's assets, operations, and information. For information security managers, it is crucial to maintain a clear perspective of all the areas of business that require protection. Through collaboration with all business units, security managers must work security into the processes of all aspects of the organization, from employee training to research and development. Security is not an IT problem, but a business problem. Information security is a business problem in the sense that the entire organization must frame and solve security problems based on its own strategic drivers, not solely on technical controls aimed to mitigate one type of attack. Security goes beyond technical controls and encompasses people, technology, policy, and operations in a way that few other business objectives do. The evolution of a risk-based paradigm, as opposed to a technical solution paradigm for security, has made it clear that a secure organization does not result from securing technical infrastructure alone.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123743541000145

Information Security Essentials for Information Technology Managers

Albert Caballero , in Computer and Information Security Handbook (Third Edition), 2017

1 Introduction

Information security involves the protection of organizational assets from the disruption of business operations, modification of sensitive data, or disclosure of proprietary information. The protection of this data is usually described as maintaining the confidentiality, integrity, and availability (CIA) of an organization's assets, operations, and information. Beyond that, information security must become a design consideration at the core of every infrastructure, application, and system. It is no longer sufficient to look at information security as maintaining the three basic tenants of CIA. While these core concepts remain the holy grail of security, the protection mechanisms needed to ensure that these three tenants are sustained in any environment can take many forms. Information security controls must have situational awareness and must be implemented with customized tactics and varying methodologies to be effective. One philosophy security professionals can adopt which transcends the three basic tenants listed in this section is to consider every aspect of implementation in three fundamental areas: Attack Resiliency, Incident Readiness, and Security Maturity depicted in Fig. 24.1.

Figure 24.1. Information security strategy.

Attack resiliency helps protect core business assets from internal and external attacks by implementing strong technical controls and adhering to industry best practices. When considering how to protect assets and data it is important to make the distinction between on-premise, public cloud, private cloud, and hybrid environments. When protecting assets that are in a public cloud the traditional protection mechanisms will not suffice, and in many cases they will not apply because the subscriber will have little or no access to the underlying infrastructure or operating systems. When building a private cloud infrastructure the data owners remain autonomous and are responsible for all of their own security operations, which can be a double-edged sword. If there isn't a highly skilled and experienced IT team with a supporting security design architect, or if the IT organization is not able to perform, automate, and deliver at the level of a service provider then it is easy to let potentially dangerous considerations fall by the wayside.

Incident readiness is a key strategic component that can help in early detection of security breaches or incidents. When a security breach is detected it is common for an organization to call in professional help from the outside to assist with incident response and recovery, especially if they run their own private or hybrid cloud environment. A common issue is that when the third party is engaged and appears on-site to help, the first thing they do is request relevant information such as log data, packet captures, and forensic images. If an organization has not put the necessary controls in place before the security incident occurs, then it often happens that all traces of the breach are overwritten or deleted by the time it's investigated. Tools that perform functions such as capturing event logs and vulnerability data, network packet inspection, end point recording, and live response will help build the visibility needed to effectively identify and respond to security incidents whenever they are discovered.

Even today, organizations have not reached a level of security maturity that will significantly deter attackers from compromising their data. Building a mature information security program with a comprehensive, risk-based, and business-aligned strategy is necessary for other controls to be effective. Among the items that are part of mature information security programs are policies that make sense, a detailed incident response plan, and an all-inclusive user awareness program. Information security management as a field is ever increasing in demand and responsibility as most organizations are spending larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions. For information security managers, it is critical to maintain a clear perspective of all the areas of business that require protection.

Through collaboration with other business units, security managers must work security into the processes of each area within the organization, as security is not an IT issue, it is a business issue. The evolution of what it means to embark on this security journey as an information security manager is depicted in Fig. 24.2 [12]. We have moved from an ad-hoc and infrastructure-based mentality to compliance-based and threat-based. The next evolution must consist of a risk-based paradigm that strives to be aligned with the business. Securing the organization's technical infrastructure can no longer provide complete protection for assets, nor will it protect other things that are not dependent on technology for their existence or protection, such as the people and business. Thus, the organization that does not evolve into a business-aligned security strategy will ultimately be lulled into a false sense of security relying solely on the perception of what is important without taking into account what is truly core to the business.

Figure 24.2. The security journey: a business-aligned strategy.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128038437000247

Security Risk Management

Kevin E. Peterson , in The Professional Protection Officer, 2010

Summary

Risk management is a critical process that touches every aspect of organizational asset protection as well as the activities of the professional protection officer. There are many specific and formalized models—even some sophisticated computer models—for risk management, but all are based on a basic "asset-threat-vulnerability-impact" model. The simple objective is "smart security decisions," whether it is how to structure a huge multi-national corporation's security function or how to word an incident report.

Every protection professional should become intimately familiar with the concepts of security risk management—and incorporate them into their mind-set and business practices at all levels.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781856177467000274

Metrics and Indicators as Key Organizational Assets for ICT Security Assessment

Luis Olsina , ... Guillermo Covella , in Emerging Trends in ICT Security, 2014

In this chapter we state that metrics and indicators are key, reusable organizational assets for providing suitable data and information for analyzing, recommending, and ultimately making decisions. In a nutshell, the metric represents the specification of a measurement process that transforms an entity attribute (i.e., the input; such as a security property) into a measure (i.e., the output, which is data), and the (elementary) indicator is the specification of an evaluation process, which has as input a metric's measure and produces an indicator value (i.e., information). There is abundant literature on ICT security and risk assessment, but very often basic issues such as why, what, how, when, who, and where to measure and evaluate are weakly intertwined and specified. One hypothesis in our research is that, without appropriate recorded metadata of information needs, attributes, metrics, and indicators, it is difficult to ensure that measure and indicator values are repeatable and consistently comparable among an organization's measurement and evaluation (M&E) projects. We show the added value of metrics and indicators as informational resources for M&E processes, illustrating a couple of them from a system security practical case.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124114746000025

Managing Access Control

John J. Fay , David Patterson , in Contemporary Security Management (Fourth Edition), 2018

Accounting for Property

A reasonable business necessity is prevention of loss and prevention of unauthorized use of organizational assets. The necessity can be satisfied with a system for controlling the movement of property from the facility through pedestrian portals such as property in the possession of employees and visitors who leave by the front door, and a system for tracking the migration of physical assets within the facility.

A property removal system can require the remover to obtain a removal pass signed by an authorizing supervisor. The pass is attached to or enclosed with the property to be removed. At the exit point, the pass is shown to a security officer. The pass can be taken by the officer and be held on file for reconciliation purposes.

An assets-tracking system keeps track of items such as desktop equipment and valuable tools. The items are tagged, labeled, imprinted, or encoded in some way. To illustrate, a bar-code sticker is affixed to an item. The sticker identifies the type of item, its location, and identity of the person responsible for its custody. During the midnight shift, a security officer moves throughout the facility passing an electronic wand across bar code stickers. A microprocessor or computer in the security control center reads each sticker and matches it against a database. If the match is not perfect, such as the item being in the wrong location, an exception is noted by the computer. At the end of the midnight shift a report is printed. All noted exceptions are highlighted. Copies of the printout are placed in the company's mail room for delivery to supervisors responsible for custody of the items. Items that were not tracked can be assumed missing or stolen.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128092781000128

Information Risk Assessment

Timothy Virtue , Justin Rainey , in HCISPP Study Guide, 2015

Task 4-1 Monitor Risk Factors

Conduct ongoing monitoring of the risk factors that contribute to changes in risk to organizational operations and assets, individuals, or other organizations. Organizations monitor risk factors of importance on an ongoing basis to ensure that the information needed to make credible, risk-based decisions continues to be available over time. Monitoring risk factors (e.g., threat sources and threat events, vulnerabilities and predisposing conditions, capabilities and intent of adversaries, targeting of organizational operations, assets, or individuals) can provide critical information on changing conditions that could potentially affect the ability of organizations to conduct core missions and business functions. Information derived from the ongoing monitoring of risk factors can be used to refresh risk assessments at whatever frequency deemed appropriate. Organizations can also attempt to capture changes in the effectiveness of risk response measures in order to maintain the currency of risk assessments. The objective is to maintain an ongoing situational awareness of the organizational governance structures and activities, mission/business processes, information systems, and environments of operation, and thereby all of the risk factors that may affect the risk being incurred by organizations. Therefore, in applying the risk assessment context or risk frame (i.e., scope, purpose, assumptions, constraints, risk tolerances, priorities, and trade-offs), organizations consider the part risk factors play in the risk response plan executed. For example, it is expected to be quite common for the security posture of information systems (i.e., the risk factors measured within those systems) to reflect only a part of the organizational risk response, with response actions at the organization level or mission/business process level providing a significant portion of that response. In such situations, monitoring only the security posture of information systems would likely not provide sufficient information to determine the overall risk being incurred by organizations. Highly capable, well-resourced, and purpose-driven threat sources can be expected to defeat commonly available protection mechanisms (e.g., by bypassing or tampering with such mechanisms). Thus, process-level risk response measures such as reengineering mission/business processes, wise use of information technology, or the use of alternate execution processes, in the event of compromised information systems, can be major elements of organizational risk response plans.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128020432000069

Risk Management Framework

Leighton Johnson , in Security Controls Evaluation, Testing, and Assessment Handbook (Second Edition), 2020

Step 5—authorization

The primary goal of this step is to authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. The objective of this step is to

Obtain Authority to Operate approval for system.

The residual risks identified during the security control assessment are evaluated, and the decision is made to authorize the system to operate, deny its operation, or remediate the deficiencies. Associated documentation is prepared and/or updated depending on the authorization decision. SP 800-37, rev. 2 reordered these tasks, as well as adding a new task to reflect a better process flow after the inclusion of the Prepare Step 0.

The identified tasks for Step 5 are as follows:

(1)

Assemble the security authorization package, and submit the package to the authorizing official for adjudication.

(2)

Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

(3)

Determine the risk responses are provided and adequate for the level of risk.

(4)

Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.

(5)

Provide the authorization decisions, significant vulnerabilities, and risks reports to the appropriate organizational officials.

SP 800-37, rev. 2 reordered these tasks to reflect a better process flow after the inclusion of the Prepare Step 0. This revision reemphasizes the purpose of this step as follows:

The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable. 9

The guidance from the SP 800-37, rev. 1 gives additional insight into authorization: "The explicit acceptance of risk is the responsibility of the authorizing official and cannot be delegated to other officials within the organization. The authorizing official considers many factors when deciding if the risk to organizational operations (including mission, function, image, or reputation), organizational assets, individuals, other organizations, and the Nation, is acceptable. Balancing security considerations with mission and operational needs is paramount to achieving an acceptable authorization decision. The authorizing official issues an authorization decision for the information system and the common controls inherited by the system after reviewing all of the relevant information and, where appropriate, consulting with other organizational officials, including the organization's risk executive (function). Security authorization decisions are based on the content of the security authorization package and, where appropriate, any inputs received from key organizational officials, including the risk executive (function). The authorization package provides relevant information on the security state of the information system including the ongoing effectiveness of the security controls employed within or inherited by the system. Inputs from the risk executive (function), including previously established overarching risk guidance to authorizing officials, provide additional organization-wide information to the authorizing official that may be relevant and affect the authorization decision (e.g., organizational risk tolerance, specific mission and business requirements, dependencies among information systems, and other types of risks not directly associated with the information system). Risk executive (function) inputs are documented and become part of the security authorization decision. Security authorization decisions, including inputs from the risk executive (function), are conveyed to information system owners and common control providers and made available to interested parties within the organization (e.g., information system owners and authorizing officials for interconnected systems, chief information officers, information owners/stewards, senior managers).

The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner or common control provider, and other organizational officials, as appropriate. The authorization decision document contains the following information:

(i)

authorization decision;

(ii)

terms and conditions for the authorization; and

(iii)

authorization termination date.

The security authorization decision indicates to the information system owner whether the system is:

(i)

authorized to operate; or

(ii)

not authorized to operate.

The terms and conditions for the authorization provide a description of any specific limitations or restrictions placed on the operation of the information system or inherited controls that must be followed by the system owner or common control provider. The authorization termination date, established by the authorizing official, indicates when the security authorization expires. Authorization termination dates are influenced by federal and/or organizational policies which may establish maximum authorization periods. Organizations may choose to eliminate the authorization termination date if the continuous monitoring program is sufficiently robust to provide the authorizing official with the needed information to conduct ongoing risk determination and risk acceptance activities with regard to the security state of the information system and the ongoing effectiveness of security controls employed within and inherited by the system.

If the security control assessments are conducted by qualified assessors with the required degree of independence based on federal/organizational policies, appropriate security standards and guidelines, and the needs of the authorizing official, the assessment results can be cumulatively applied to the reauthorization, thus supporting the concept of ongoing authorization. Organizational policies regarding ongoing authorization and formal reauthorization, if/when required, are consistent with federal directives, regulations, and/or policies.

The authorization decision document is attached to the original security authorization package containing the supporting documentation and transmitted to the information system owner or common control provider. Upon receipt of the authorization decision document and original authorization package, the information system owner or common control provider acknowledges and implements the terms and conditions of the authorization and notifies the authorizing official. The organization ensures that authorization documents for both information systems and for common controls are made available to appropriate organizational officials (e.g., information system owners inheriting common controls, risk executive (function), chief information officers, senior information security officers, information system security officers). Authorization documents, especially information dealing with information system vulnerabilities, are:

(i)

marked and appropriately protected in accordance with federal and organizational policies; and

(ii)

retained in accordance with the organization's record retention policy.

The authorizing official verifies, on an ongoing basis, that the terms and conditions established as part of the authorization are being followed by the information system owner or common control provider." 10

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128184271000057

Thinking About Systems

Stephen D. Gantz , Daniel R. Philpott , in FISMA and the Risk Management Framework, 2013

Information Security Management

From an information security and risk management perspective, federal agencies view information systems and the information they contain as key organizational assets enabling successful mission execution and the effective performance of mission-centric and supporting business and administrative functions. Although this view is consistent with capital planning and enterprise architecture perspectives, the focus on systems within information security risk management emphasizes the provision of adequate security for information systems through the application of the Risk Management Framework process to obtain and maintain authorizations to operate. Performing information security risk management effectively and efficiently requires agencies and their system owners to clearly define the appropriate boundaries for organizational information systems. Information system boundaries help determine the scope of control and agency responsibilities for protecting information systems and identify the organizational resources, operating environments, technical components, and governance applicable to each information system. Information system boundaries correspond to information system management responsibilities at all levels of the organization—and potentially outside the organization in the case of externally provided systems, components, or services—including information owners, information system owners, authorizing officials, and operational security personnel at the individual information system level. Establishing the information system boundary is part of describing the information system in step 1 of the RMF, in which agencies identify the information resources associated with a system and the point of management control or authority over those resources [32]. Agencies need to strike the appropriate balance between defining information system boundaries broadly—potentially adding complexity to risk management processes—and defining boundaries more narrowly, which increases the number of information systems and corresponding operational and management resources allocated to provide adequate security and ensure compliance with FISMA and other applicable regulations. The security management perspective on information systems also focuses on the system as a source of risk to the organization, whether as a target for compromise that exposes the organization to adverse impact or as an essential asset on which mission functions and business processes depend. NIST emphasizes this point explicitly in its risk management guidance to agencies [33] and by focusing the application of the Risk Management Framework on information systems. The language in FISMA and associated NIST guidance to agencies highlights the importance of integrating security management with strategic and operational planning processes at the organizational level [34] and with key activities in all phases of the system development life cycle (SDLC) [35]. To achieve the sort of integrated management envisioned for federal information systems, agencies and their system owners need to address multiple system-based perspectives simultaneously, using explicit information resources management governance processes and the implementation of comprehensive program management or system development life cycle methodologies.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597496414000047

Creating the Right Conditions for CDO Success

Peter Aiken , Michael Gorman , in The Case for the Chief Data Officer, 2013

5.2.1 The CDO Should Parallel the Reporting Structure of Other Asset Chiefs

The CDO should be the senior organizational official most expert in, and responsible for, organizational use of data-based organizational assets in support of strategy – the Data Chief. CDOs must implement a demanding regimen that touches all facets of the organization with a renewed emphasis on quality, decision-making, improving product/service, and a DM system that extends to organizational components.

There are two reasons why the CDO should report with the top organizational management team (see Figure 5.1). First, the historical low priority given to this function requires, at least for the next round, a corresponding bias towards data-centric development practices. Second, it is also clear that DM expertise is not widely available – organizations will need time to determine what works best for them and it will be while before generalized guidance is forthcoming. Actual implementation will require practiced coordination among IT, Operations, a specific domain (i.e. Marketing), and Data – with project specific domain rotation.

Figure 5.1. Positioning the CDO.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978012411463000005X

Overview

Rick Sturm , ... Julie Craig , in Application Performance Management (APM) in the Digital Enterprise, 2017

Chapter 8—Application Management Security

Applications are at the heart of an organization's security. If compromised, they can become an avenue to exploiting or destroying valuable organizational assets. The initial development of an application is where critical decisions must be made. Correct decisions then lead to the creation of much more secure applications and less vulnerability for organizational assets.

Chapter 8 explores the need to secure those applications and how to achieve this objective. Topics covered include the need to secure applications and how to accomplish that, and Chapter 8 describes steps that can be taken to prevent problems from arising or minimize the impact if they do arise. In addition, Chapter 8 identifies 25 of the worst application coding errors that can create vulnerabilities and describes steps that can be taken to prevent problems from arising and/or minimizing their impact. Finally, protection of corporate and customer data in a web-based environment is discussed, and a set of web application security management principles are explained.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128040188000012