Fundamentals of Information Systems Security/Information Security and Risk Management
||A Wikibookian believes this page should be split into smaller pages with a narrower subtopic.
You can help by splitting this big page into smaller ones. Please make sure to follow the naming policy. Dividing books into smaller sections can provide more focus and allow each one to do one thing well, which benefits everyone.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information Security management is a process of defining the security controls in order to protect the information assets.
Security Program 
The first action of a management program to implement information security is to have a security program in place
Security Program Objectives
- Protect the company and its assets.
- Manage Risks by Identifying assets, discovering threats and estimating the risk
- Provide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines
- Information Classification
- Security Organization and
- Security Education
Security Management Responsibilities
- Determining objectives, scope, policies, priorities, standards, and strategies.
- Determine actual goals that are expected to be accomplished from a security program
- Evaluate business objectives, security risks, user productivity, and functionality requirements.
- Define steps to ensure that all the above are accounted for and properly addressed
Approaches to Build a Security Program
- Top-Down Approach
- The initiation, support, and direction comes from the top management and work their way through middle management and then to staff members.
- Treated as the best approach.
- Ensures that the senior management who are ultimately responsible for protecting the company assets is driving the program.
- Bottom-Up Approach
- The lower-end team comes up with a security control or a program without proper management support and direction.
- It is less effective and doomed to fail
Security Controls 
Security Controls can be classified into three categories
Administrative Controls which include
- Developing and publishing of policies, standards, procedures, and guidelines.
- Screening of personnel.
- Conducting security-awareness training and
- Implementing change control procedures.
Technical or Logical Controls which include
- Implementing and maintaining access control mechanisms.
- Password and resource management.
- Identification and authentication methods
- Security devices and
- Configuration of the infrastructure.
Physical Controls which include
- Controlling individual access into the facility and different departments
- Locking systems and removing unnecessary floppy or CD-ROM drives
- Protecting the perimeter of the facility
- Monitoring for intrusion and
- Environmental controls.
Security Note: It is the responsibility of the information owner (usually a Sr. executive within the management group or head of a specific dept) to protect the data and is the due care (liable by the court of law) for any kind of negligence
The Elements of Security 
- It is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.
- Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
- E.g.: a service running on a server, unpatched applications or operating system software, unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.
- Any potential danger to information or systems.
- A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability.
- The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat agent could be an intruder accessing the network through a port on the firewall
- Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact.
- Reducing vulnerability and/or threat reduces the risk.
- E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
- An exposure is an instance of being exposed to losses from a threat agent.
- Vulnerability exposes an organization to possible damages.
- E.g.:If password management is weak and password rules are not enforced, the company is exposed to the possibility of having users' passwords captured and used in an unauthorized manner.
Countermeasure or Safeguard
- It is an application or a s/w configuration or h/w or a procedure that mitigates the risk.
- E.g.: strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.
The Relation Between the Security Elements
- Example: If a company has antivirus software but does not keep the virus signatures up-to-date, this is vulnerability. The company is vulnerable to virus attacks.
- The threat is that a virus will show up in the environment and disrupt productivity.
- The likelihood of a virus showing up in the environment and causing damage is the risk.
- If a virus infiltrates the company's environment, then vulnerability has been exploited and the company is exposed to loss.
- The countermeasures in this situation are to update the signatures and install the antivirus software on all computers
Threat Agent gives rise to Threat exploits Vulnerability leads to Risk can damage Assets and causes an Exposure can be counter measured by Safeguard directly effects Threat Agent
Core Information Security Principles 
The three fundamental principles of security are availability, integrity, and confidentiality and are commonly referred to as CIA or AIC triad which also form the main objective of any security program.
The level of security required to accomplish these principles differs per company, because each has its own unique combination of business and security goals and requirements.
All security controls, mechanisms, and safeguards are implemented to provide one or more of these principles.
All risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles
- Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted and once it reaches its destination.
- Threat sources
- Network Monitoring
- Shoulder Surfing- monitoring key strokes or screen
- Stealing password files
- Social Engineering- one person posing as the actual
- Encrypting data as it is stored and transmitted.
- By using network padding
- Implementing strict access control mechanisms and data classification
- Training personnel on proper procedures.
- Integrity of data is protected when the assurance of accuracy and reliability of information and system is provided, and unauthorized modification is prevented.
- Threat sources
- Logic Bombs
- Strict Access Control
- Intrusion Detection
- Availability ensures reliability and timely access to data and resources to authorized individuals.
- Threat sources
- Device or software failure.
- Environmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability.
- Denial-of-service (DoS) attacks
- Maintaining backups to replace the failed system
- IDS to monitor the network traffic and host system activities
- Use of certain firewall and router configurations
Information Security Management Governance 
Security Governance 
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.
Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management.
Security Policies, Procedures, Standards, Guidelines, and Baselines 
A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.
A well designed policy addresses:
- . What is being secured? - Typically an asset.
- . Who is expected to comply with the policy? - Typically employees.
- . Where is the vulnerability, threat or risk? - Typically an issue of integrity or responsibility.
Types of Policies
- Regulatory: This type of policy ensures that the organization is following standards set by specific industry regulations. This policy type is very detailed and specific to a type of industry. This is used in financial institutions, health care facilities, public utilities, and other government-regulated industries. E.g.: TRAI.
- Advisory: This type of policy strongly advises employees regarding which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, handle financial transactions, or process confidential information.
- Informative: This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one to teach individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company's goals and mission, and a general reporting structure in different situations.
Types of Security Policies
- Management establishes how a security program will be set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out.
- Provides scope and direction for all future security activities within the organization.
- This policy must address relative laws, regulations, and liability issues and how they are to be satisfied.
- It also describes the amount of risk senior management is willing to accept.
- Business objectives should drive the policy's creation, implementation, and enforcement. The policy should not dictate business objectives.
- It should be an easily understood document that is used as a reference point for all employees and management.
- It should be developed and used to integrate security into all business functions and processes.
- It should be derived from and support all legislation and regulation applicable to the company.
- It should be reviewed and modified as a company changes, such as through adoption of a new business model, merger with another company, or change of ownership.
- Each iteration of the policy should be dated and under version control.
- The units and individuals who are governed by the policy must have access to the applicable portions and not be expected to have to read all policy material to find direction and answers
- Addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues
- E.g.: An e-mail policy might state that management can read any employee's e-mail messages that reside on the mail server, but not when they reside on the user's workstation
- Presents the management's decisions that are specific to the actual computers, networks, applications, and data.
- This type of policy may provide an approved software list, which contains a list of applications that may be installed on individual workstations.
- E.g.: This policy may describe how databases are to be used and protected, how computers are to be locked down, and how firewalls, IDSs, and scanners are to be employed.
- Standards refer to mandatory activities, actions, rules, or regulations.
- Standards can give a policy its support and reinforcement in direction.
- Standards could be internal, or externally mandated (government laws and regulations).
- Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
- E.g.: we can write procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.
- Procedures are considered the lowest level in the policy chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues.
- Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment.
- If a policy states that all individuals who access confidential information must be properly authenticated, the supporting procedures will explain the steps for this to happen by defining the access criteria for authorization, how access control mechanisms are implemented and configured, and how access activities are audited
- A baseline can refer to a point in time that is used as a comparison for future changes. Once risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it.
- A baseline results in a consistent reference point.
- Baselines are also used to define the minimum level of protection that is required.
- In security, specific baselines can be defined per system type, which indicates the necessary settings and the level of protection that is being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline.
Security Note : Baselines that are not technology-oriented should be created and enforced within organizations as well. For example, a company can mandate that all employees must have a badge with a picture ID in view while in the facility at all times. It can also state that visitors must sign in at a front desk and be escorted while in the facility. If these are followed, then this creates a baseline of protection.
- Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply.
- Guidelines can deal with the methodologies of technology, personnel, or physical security.
Putting It All Together 
- A policy might state that access to confidential data must be audited. A supporting guideline could further explain that audits should contain sufficient information to allow for reconciliation with prior reviews. Supporting procedures would outline the necessary steps to configure, implement, and maintain this type of auditing.
- policies are strategical(long term) while standards, guidelines and procedures are tactical(medium term).
Organizational Security Models 
Some of the best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE).
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.
Key concepts of the COSO framework
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.
COSO Internal Control Framework: the five components
According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following:
- Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
- Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
- Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and Separation of duties/segregation of duties.
- Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
- Monitoring: Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for managing information technology (IT) infrastructure, development, and operations.
ITIL is published in a series of books, each of which cover an IT management topic
Overview and Benefits
ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its guidance offers users a huge range of benefits that include:
- reduced costs;
- improved IT services through the use of proven best practice processes;
- improved customer satisfaction through a more professional approach to service delivery;
- standards and guidance;
- improved productivity;
- improved use of skills and experience; and
- improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements.
The ITIL v3 which was published in May 2007, comprises 5 key volumes:
- . Service Strategy
- . Service Design
- . Service Transition
- . Service Operation
- . Continual Service Improvement
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
- COBIT has 34 high level processes that cover 210 control objectives categorized in four domains:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- COBIT provides benefits to managers, IT users, and auditors
- Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system.
- IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance.
- COBIT benefits auditors because it helps them identify IT control issues within a company's IT infrastructure. It also helps them corroborate their audit findings.
- Plan and Organize: The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company's goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
- Acquire and Implement: The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company's current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
- Delivery and Support: The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training.
- Monitor and Evaluate: The Monitoring and Evaluation domain deals with a company's strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company's control processes by internal and external auditors.
ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799) 
Tracking the history of the ISO/IEC 27000-series of standards is somewhat of a challenge. This section provides the history of the ISO standard for information security management that began with BS 7799 and later resulted in ISO 17799 and eventually the ISO 27000 "family of standards" for Information Security Management Systems (ISMS). Like the other control and governance models, the ISO 27000 series provides a set of guidelines and best practices for information security management. The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that meets in person twice a year. The International Standards Organization (ISO) also develops standards for quality control, environmental protection, product usability, manufacturing, etc.
BS 7799 
The BS 7799 is basically divided into 3 Parts
- BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995.
- It was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000.
- ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007.
- BS 7799 Part 2 of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled "Information Security Management Systems - Specification with guidance for use." It is focused on how to implement an Information security management system (ISMS)
- The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000.
- BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
- BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.
BS 7799 
- Derived from BS 7799
- It is an internationally recognized ISM standard that provide high level, conceptual recommendations on enterprise security
- ISO 17799 has 2 parts
- Part-I is an implementation guide with guidelines on how to build a comprehensive information security infrastructure.
- Part-II is an auditing guide based on requirements that must be met for an organization to be deemed complaint with ISO 17799
- ISO 17799 domains
- Information security policy for the organization: Map of business objectives to security, management's support, security goals, and responsibilities.
- Creation of information security infrastructure: Create and maintain an organizational security structure through the use of security forum, security officer, defining security responsibilities, authorization process, outsourcing, and independent review.
- Asset classification and control: Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.
- Personnel security: Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.
- Physical and environmental security: Protect the organization's assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.
- Communications and operations management: Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.
- Access control: Control access to assets based on business requirements, user management, authentication methods, and monitoring.
- System development and maintenance: Implement security in all phases of a system's lifetime through development of security requirements, cryptography, integrity, and software development procedures.
- Business continuity management: Counter disruptions of normal operations by using continuity planning and testing.
- Compliance: Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.
ISO 27000 Series 
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
The following are the currently published 27000-series standards:
- ISO 27000 Overview and vocabulary overview and glossary of terms.
- ISO 27001 Information security management systems -- Requirements. This is the specification/requirements for an information security management system (an ISMS) which replaced the old BS7799-2 standard
- ISO 27002 Code of practice for information security management. This is the 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1).
- ISO 27003 Information security management system implementation guidance.This will be the official number of a new standard intended to offer guidance for the implementation of an ISMS (IS Management System) .
- ISO 27004 Information security management -- Measurement. This standard covers information security system management measurement and metrics, including suggested ISO27002 aligned controls..
- ISO 27005 Information security risk management.This is the methodology independent ISO standard for information security risk management..
- ISO 27006 Requirements for bodies providing audit and certification of information security management systems. This standard provides guidelines for the accreditation of organizations offering ISMS certification.
Other 27000-series ISO publications:
- ISO 27011 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
- ISO 27033 Network security -- Part 1: Overview and concepts
- ISO 27799 Health informatics -- Information security management in health using ISO/IEC 27002
Although the list of ISO 27000-series standards for information security management continues to grow in number. ISO/IEC 27002 and ISO/IEC 27001 remain the most used standards, because they provide the most basic guidance for an enterprise information security program practices and processes and also because they are the most current versions of their popular predecessors (BS 7799 and ISO 17799).
Organizational Behavior 
Organizational Structure Evolution 
- Today's Security Organizational Structure
Best Practices 
Job Rotation 
Job Rotation is an approach to management development where an individual is moved through a schedule of assignments designed to give him or her a breath of exposure to the entire operation.
Job rotation is also practiced to allow qualified employees to gain more insights into the processes of a company and to increase job satisfaction through job variation.
Separation of Duties 
Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of powers.
- SoD in basic terms that is no single individuals should have controls over two or more phases of a transaction or operation, so that a deliberate fraud is more difficult to occur because it requires collusion of two or more individuals or parties.
- With the concept of SoD, business critical duties can be categorized into four types of functions, authorization, custody, record keeping and reconciliation. In a perfect system, no one person should handle more than one type of function.
- In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties
Control Mechanisms to enforce SoD
There are several control mechanisms that can help to enforce the segregation of duties:
- Audit trails enable IT managers or Auditors to recreate the actual transaction flow from the point of origination to its existence on an updated file. Good audit trails should be enabled to provide information on who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.
- Reconciliation of applications and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
- Exception reports are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion. A signature of the person who prepares the report is normally required.
- Manual or automated system or application transaction logs should be maintained, which record all processed system commands or application transactions.
- Supervisory review should be performed through observation and inquiry.
- To compensate mistakes or intentional failures by following a prescribed procedure, independent reviews are recommended. Such reviews can help detect errors and irregularities.
Least Privilege (Need to Know) 
The principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.
Note: This principle is a useful security tool, but it has never been successful at enforcing high assurance security on a system.
- Better system stability. When code is limited in the scope of changes it can make to a system, it is easier to test its possible actions and interactions with other applications. In practice for example, applications running with restricted rights will not have access to perform operations that could crash a machine, or adversely affect other applications running on the same system.
- Better system security. When code is limited in the system-wide actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. For example, Microsoft states “Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses.” 
- Ease of deployment. In general, the fewer privileges an application requires the easier it is to deploy within a larger environment. This usually results from the first two benefits, applications that install device drivers or require elevated security privileges typically have addition steps involved in their deployment, for example on Windows a solution with no device drivers can be run directly with no installation, while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges
Mandatory Vacations 
Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence.
Job Position Sensitivity 
Security Roles and Responsibilities 
Levels of Responsibilities 
- Senior management and other levels of management understand the vision of the company, the business goals, and the objectives.
- Functional management, whose members understand how their individual departments work, what roles individuals play within the company, and how security affects their department directly.
- Operational managers and staff. These layers are closer to the actual operations of the company. They know detailed information about the technical and procedural requirements, the systems, and how the systems are used. The employees at these layers understand how security mechanisms integrate into systems, how to configure them, and how they affect daily productivity.
Classification of Roles and their Responsibilities 
- The data owner (information owner) is usually a member of management, in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information.
- The data owner decides upon the classification of the data that he is responsible for and alters that classification if the business needs arise.
- This person is also responsible for ensuring that the necessary security controls are in place, ensuring that proper access rights are being used, defining security requirements per classification and backup requirements, approving any disclosure activities, and defining user access criteria.
- The data owner approves access requests or may choose to delegate this function to business unit managers. And it is the data owner who will deal with security violations pertaining to the data he is responsible for protecting.
- The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.
- The data custodian (information custodian) is responsible for maintaining and protecting the data.
- This role is usually filled by the IT department, and the duties include performing regular backups of the data, periodically validating the integrity of the data, restoring data from backup media, retaining records of activity, and fulfilling the requirements specified in the company's security policy, standards, and guidelines that pertain to information security and data protection.
- The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners.
- A system owner is responsible for integrating security considerations into application and system purchasing decisions and development projects.
- The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on.
- This role needs to ensure that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.
- A security administrator's tasks are many, and include creating new system user accounts, implementing new security software, testing security patches and components, and issuing new passwords.
- The security administrator role needs to make sure that access rights that are given to users support the policies and data owner directives.
- This role works at a higher, more strategic level than the previously described roles and helps to develop policies, standards, and guidelines and set various baselines.
- Whereas the previous roles are "in the weeds" and focusing on their pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure that the elements are being carried out and practiced properly. This person works more at a design level than at an implementation level.
- An application owner, usually the business unit managers, are responsible for dictating who can and cannot access their applications, like the accounting software, software for testing and development etc.
- This role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users like ensuring that all his employees understand their responsibilities with respect to security, distributing initial passwords, making sure that the employees' account information is up-to-date, and informing the security administrator when an employee is fired, suspended, or transferred.
Change Control Analyst
- The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software.
- This role needs to make sure that the change will not introduce any vulnerability, that it has been properly tested, and that it is properly rolled out.
- The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity.
- The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it.
- The data analyst role may be responsible for architecting a new system that will hold company information or advising in the purchase of a product that will do this.
- The data analyst works with the data owners to help ensure that the structures that are set up coincide with and support the company's business objectives.
- Security should be considered and treated like just another business process. The process owner is responsible for properly defining, improving upon, and monitoring these processes.
- A process owner is not necessarily tied to one business unit or application. Complex processes involve a lot of variables that can span across different departments, technologies, and data types.
- This role is called upon when a business has a problem or requires that a process be improved upon.
- A solution provider works with the business unit managers, data owners, and senior management to develop and deploy a solution to reduce the company's pain points.
- The user is any individual who routinely uses the data for work-related tasks.
- The user must have the necessary level of access to the data to perform the duties within their position and is responsible for following operational security procedures to ensure the data's confidentiality, integrity, and availability to others.
Product Line Manager
- Responsible for explaining business requirements to vendors and wading through their rhetoric to see if the product is right for the company
- Responsible for ensuring compliance to license agreements
- Responsible for translating business requirements into objectives and specifications for the developer of a product or solution
- Decides if his company really needs to upgrade their current systems
- This role must understand business drivers, business processes, and the technology that is required to support them.
- The product line manager evaluates different products in the market, works with vendors, understands different options a company can take, and advises management and business units on the proper solutions that are needed to meet their goals.
Responsibilities of the Information Security Officer
- Communicate Risks to Executive Management
- Budget for Information Security Activities
- Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines
- Develop and Provide Security Awareness Program
- Understand Business Objectives
- Maintain Awareness of Emerging Threats and Vulnerabilities
- Evaluate Security Incidents and Response
- Develop Security Compliance Program
- Establish Security Metrics
- Participate in Management Meetings
- Ensure Compliance with Government Regulations
- Assist Internal and External Auditors
- Stay Abreast of Emerging Technologies
Reporting Model 
- Business Relationships
- Reporting to the CEO
- Reporting to the Information Technology (IT) Department
- Reporting to Corporate Security
- Reporting to the Administrative Services Department
- Reporting to the Insurance and Risk Management Department
- Reporting to the Internal Audit Department
- Reporting to the Legal Department
- Determining the Best Fit
Enterprise-wide Security Oversight 
Defining the Goals 
- Vision Statement
- Mission Statement
Security Planning 
- Strategic Planning
- Tactical Planning
- Operational and Project Planning
Personnel Security 
There are many facets of personnel responsibilities that fall under management's umbrella and several of these facets have a direct correlation to the overall security of the environment such as
- Hiring the most qualified individuals
- Performing background checks of the personnel using detailed job descriptions
- Providing necessary training
- Enforcing strict access controls, and
- Terminating individuals in a way that protects all parties involved.
Depending on the position that needs to be filled, a level of screening should be done by human resources to ensure that the company hires the right individual for the right job.
- Skills should be tested and evaluated, and the caliber and character of the individual should be examined.
- Nondisclosure agreements need to be developed and signed by new employees to protect the company and its sensitive information.
- Any conflicts of interests need to be addressed, and there should be different agreements and precautions taken with temporary and contract employees.
- References should be checked, military records should be reviewed, education should be verified, and if necessary, a drug test should be administered.
- Many times, important personal behaviors can be concealed, and that is why hiring practices should include scenario questions, personality tests, and observations of the individual, instead of just looking at a person's work history.
- A management structure must be in place to make sure that everyone has someone to report to and that the responsibility for another person's actions is spread equally and intelligently.
- Consequences for noncompliance or unacceptable behavior must be communicated before an event takes place.
- Proper supervisory skills need to be acquired and used to ensure that operations go smoothly and any out-of-the-ordinary activities can be taken care of before they get out of control.
- Rotation of duties should be employed in order keep control of each department in a healthy and productive state. No one person should stay in one position for a long period of time because they may end up having too much control over a segment of the business thus resulting in a fraud, data modification, and misuse of resources.
- Employees in sensitive areas should be forced to take their vacation, which is known as a mandatory vacation policy, giving the scope for the other individual in his place who can usually detect any fraudulent errors or activities.
- Two variations of separation of duties and control are split knowledge and dual control.
- In both cases, two or more individuals are authorized and required to perform a duty or task.
- In the case of split knowledge, no one person knows or has all the details to perform a task.
- In the case of dual control, two individuals are again authorized to perform a task, but both must be available and active in their participation to complete the task or mission.
- Companies should have a specific set of procedures to follow with each and every termination.
Security Awareness, Training, and Education 
Conducting A Formal Security Awareness Training 
The management's directives pertaining to security are captured in the security policy, and the standards, procedures, and guidelines are developed to support these directives. However, these directives will not be effective if no one knows about them and how the company expects them to be implemented.
- For security to be successful and effective, senior management on down to the rest of the staff needs to be fully aware of the importance of enterprise and information security.
- All employees should understand the underlying significance of security and the specific security related requirements expected out of them.
- The controls and procedures of a security program should reflect the nature of the data being processed.
- The security program should be developed in a fashion that makes sense for the different cultures and environments.
- The security program should communicate the what, how, and why of security to its employees.
- Security-awareness training should be comprehensive, tailored for specific groups, and organization-wide with a goal that each employee understands the importance of security to the company as a whole and to each individual.
- Expected responsibilities and acceptable behaviors need to be clarified, and noncompliance repercussions, which could range from a warning to dismissal, need to be explained before being invoked.
Diffferent Types of Security Awareness Trainings
There are usually at least three separate audiences for a security-awareness program: management, staff, and technical employees.
- Each type of awareness training needs to be geared toward the individual audience to ensure that each group understands its particular responsibilities, liabilities, and expectations.
- Members of management would benefit the most from a short, focused security awareness orientation that discusses corporate assets and financial gains and losses pertaining to security.
- Mid-management would benefit from a more detailed explanation of the policies, procedures, standards, and guidelines and how they map to the individual departments for which they are responsible.
- Middle managers should be taught why their support for their specific departments is critical and what their level of responsibility is for ensuring that employees practice safe computing activities. They should also be shown how the consequences of noncompliance by individuals who report to them can affect the company as a whole and how they, as managers, may have to answer for such indiscretions.
- The technical departments must receive a different presentation that aligns more to their daily tasks. They should receive a more in-depth training to discuss technical configurations, incident handling, and indications of different types of security compromises so they can be properly recognized.
- Employees should not try to combat an attacker or address fraudulent activities by themselves instead they should be told to report these issues to upper management, and upper management should determine how to handle the situation.
- The presentation given to staff members needs to demonstrate why security is important to the company and to them individually. The better they understand how insecure activities can negatively affect them, the more willing they will be to participate in preventing such activities.
- It is usually best to have each employee sign a document indicating that they have heard and understand all the security topics discussed and understand the ramifications of noncompliance.
- Security training should happen periodically and continually.
Evaluating The Program
Security-awareness training is a type of control, and just like any other control it should be monitored and evaluated for its effectiveness.
- After the employees attend awareness training, a company may give them questionnaires and surveys to gauge their retention level and to get their feedback about the training, to evaluate the program's effectiveness.
- A good indication of the effectiveness of the program can be captured by comparing the number of reports of security incidents that were made before and after the training.
- For online training, capture individuals' names and what training modules have or have not been completed within a specific time period. This can then be integrated into their job performance documentation.
- Security-awareness training must repeat the most important messages in different formats, be kept up-to-date, be entertaining, positive, and humorous, be simple to understand, and--most important--be supported by senior management.
Specialized Training Programs
- Train the individuals to use specialized devices and technologies.
- Different roles require different types of training (firewall administration, risk management, policy development, IDSs, and so on). A skilled staff is one of the most critical components to the security of a company, and not enough companies are spending the funds and energy necessary to give their staffs proper levels of security education.
What Might a Course in Security Awareness Look Like?
Awareness Activities and Methods 
Information Risk Management 
Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.
Risk Management Concepts 
Categories of Risks
- Physical damage- Fire, water, vandalism, power loss, and natural disasters
- Human interaction- Accidental or intentional action or inaction that can disrupt productivity
- Equipment malfunction- Failure of systems and peripheral devices
- Inside and outside attacks- Hacking, cracking, and attacking
- Misuse of data- Sharing trade secrets, fraud, espionage, and theft
- Loss of data- Intentional or unintentional loss of information through destructive means
- Application error- Computation errors, input errors, and buffer overflows
- Social Status- Loss of Customer base and reputation
Security Tip: The threats need to be identified, classified by category, and evaluated to calculate their actual magnitude of potential loss. Real risk is hard to measure, but prioritizing the potential risks in order of which risk needs to be addressed first is attainable
Defining a Risk Management Policy
- The IRM policy provides the infrastructure for the organization's risk management processes and procedures.
- Characteristics of an IRM policy
- It should address all issues of information security, from personnel screening and the insider threat to physical security and firewalls.
- It should provide direction on how the IRM team relates information on company risks to senior management and how to properly execute management's decisions on risk mitigation tasks.
- The IRM policy should be a subset of the organization's overall risk management policy and should be mapped to the organizational security policies.
- The IRM policy should address the following items:
- Define the objectives of IRM team
- Level of risk the company will accept and what is considered an acceptable risk
- Formal processes of risk identification
- Connection between the IRM policy and the organization's strategic planning processes
- Responsibilities that fall under IRM and the roles that are to fulfill them
- Mapping of risk to internal controls
- Approach for changing staff behaviors and resource allocation in response to risk analysis
- Mapping of risks to performance targets and budgets
- Key indicators to monitor the effectiveness of controls
Risk Management Practices
A risk management team should have the ability and follow the best practices, some of them which include
- Establishing a risk acceptance level as provided by senior management
- Documenting risk assessment processes and procedures
- Establishing proper procedures for identifying and mitigating risks
- Getting support from senior management for appropriate resource and fund allocation
- Defining contingency plans where assessments indicate that they are necessary
- Ensure that security-awareness training is provided for all staff members associated with information assets.
- Strive to establish improvement (or risk mitigation) in specific areas when necessary
- Should map legal and regulation compliancy requirements to control and implement requirements
- Develop metrics and performance indicators to be able to measure and manage various types of risks
- Identify and assess new risks as the environment and company changes
- Integrate IRM and the organization's change control process to ensure that changes do not introduce new vulnerabilities
Risk Handling Strategies 
As it is impossible to have a system or an environment to be 100 percent secure, there should be an acceptable level of risk.
Residual Risk vs. Total Risk
- Residual Risk: Where there is always some risk left over to deal with.
- Total Risk: Where there are no risk measure and the risk is 100%. These type of risk is acceptable when the cost/benefit analysis results indicate that this is the best course of action
- The Relation:
- Threats*Vulnerability*Asset Value = Total Risk
- Threats*Vulnerability*Asset Value* Control Gap= Residual Risk
Ways to deal with Risk
There are four basic ways of dealing with risks:
- Transfer it: If a company's total or residual risk is too high and it purchases an insurance then it is transfer of risk to the insurance company
- Reject it: If a company is in denial about its risk or ignore it, it is rejecting the risk
- Reduce it: If a company implements countermeasures, it is reducing the risk
- Accept it: If a company understands the risk and decides not to implement any kind of countermeasures it is accepting the risk
Risk Assessment/Analysis 
Risk analysis is a method of identifying vulnerabilities and threat and assessing the possible damage to determine where to implement security safeguards
Why Risk Analysis?
- To ensure that security is cost effective, relevant, timely, and responsive to threat.
- To provide a cost/benefit comparison, this compares the annualized cost of safeguards to the potential cost of loss.
- Help integrate the security program objectives with the company's business objectives and requirements
- To provide an economic balance between the impact of the threat and the cost of the countermeasure.
The Risk Analysis Activities
- Identifying assets and their values
- Identifying the vulnerabilities and threats
- Analyze the risk- Two approaches
- Quantitative Approach
- Qualitative Approach
- Selecting and Implementing a countermeasure
Identifying The Risk Elements 
Identifying Assets and Their Values
- Kinds of assets
- Tangible: measurable - computers, facilities, supplies
- Intangible: immeasurable, difficult to assess - reputation, intellectual property.
- Factors to be considered during assessing the value of information and assets.
- Cost to acquire or develop the assets
- Cost to maintain and protect the assets
- Value of the asset to owners and users
- Value of the asset to adversaries
- Value of intellectual property that went into developing the information
- Price others are willing to pay for the asset
- Cost to replace the asset if lost
- Operational and production activities that are affected if the asset is unavailable
- Liability issues if the asset is compromised
- Usefulness and role of the asset in the organization
- Need for determining the value of assets
- To perform effective cost/benefit analyses
- To select specific countermeasures and safeguards
- To determine the level of insurance coverage to purchase
- To understand what exactly is at risk
- To conform to due care and comply with legal and regulatory requirements
Identify the Vulnerabilities and Threats
There are many types of threat agents that can take advantage of several types of vulnerabilities, resulting in a variety of specific threats
|Threat Agent||Can Exploit This Vulnerability||Resulting in This Threat|
|Virus||Lack of antivirus software||Virus infection|
|Hacker||Powerful services running on a server||Unauthorized access to confidential information|
|Users||Misconfigured parameter in the operating system||System malfunction|
|Fire||Lack of fire extinguishers||Facility and computer damage, and possibly loss of life|
|Employee||* Lack of training or standards enforcement * Lack of auditing||* Sharing mission-critical information * Altering data inputs and outputs from data processing applications|
|Contractor||Lax access control mechanisms||Stealing trade secrets|
|Attacker||* Poorly written application * Lack of stringent firewall settings||* Conducting a buffer overflow * Conducting a denial-of-service attack|
|Intruder||Lack of security guard||Breaking windows and stealing computers and devices|
A Quantitative Approach to Risk Analysis 
- Quantitative analysis uses risk calculations that attempt to predict the level of monetary losses and percentage of chance for each type of threat.
- Quantitative risk analysis also provides concrete probability percentages when determining the likelihood of threats.
- Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks.
- Purely quantitative risk analysis is not possible, because the method attempts to quantify qualitative items, and there are always uncertainties in quantitative values
Sample Steps for a Quantitative Risk Analysis
- Step 1: Assign Value to Assets- For each asset, answer the following questions to determine its value
- What is the value of this asset to the company?
- How much does it cost to maintain?
- How much does it make in profits for the company?
- How much would it be worth to the competition?
- How much would it cost to re-create or recover?
- How much did it cost to acquire or develop?
- How much liability are you under pertaining to the protection of this asset?
- Step 2: Estimate Potential Loss per Threat- To estimate potential losses posed by threats, answer the following questions:
- What physical damage could the threat cause and how much would that cost?
- How much loss of productivity could the threat cause and how much would that cost?
- What is the value lost if confidential information is disclosed?
- What is the cost of recovering from this threat?
- What is the value lost if critical devices were to fail?
- What is the single loss expectancy (SLE) for each asset, and each threat?
- Step 3: Perform a Threat Analysis- Take the following steps to perform a threat analysis
- Gather information about the likelihood of each threat taking place from people in each department, past records, and official security resources that provide this type of data.
- Calculate the annualized rate of occurrence (ARO), which is how many times the threat can take place in a 12-month period.
- Step 4: Derive the Overall Loss Potential per Threat-To derive the overall loss potential per threat, do the following:
- Combine potential loss and probability.
- Calculate the annualized loss expectancy (ALE) per threat by using the information calculated in the first three steps.
- Choose remedial measures to counteract each threat.
- Carry out cost/benefit analysis on the identified countermeasures.
- Step 5: Reduce, Transfer, or Accept the Risk- For each risk, you can choose whether to reduce, transfer, or accept the risk:
- Risk reduction methods
- Install security controls and components.
- Improve procedures.
- Alter environment.
- Provide early detection methods to catch the threat as it's happening and reduce the possible damage it can cause.
- Produce a contingency plan of how business can continue if a specific threat takes place, reducing further damages of the threat.
- Erect barriers to the threat.
- Carry out security-awareness training.
- Risk transfer- Buy insurance to transfer some of the risk, for example.
- Risk acceptance- Live with the risks and spend no more money toward protection.
- Risk reduction methods
Quantitative Risk Analysis Metrics
- Single loss expectancy (SLE) - The amount of loss due to a single occurrence of a threat.
- Annualized loss expectancy (ALE) - The estimated loss per annum.
- Exposure factor (EF) - Represents the percentage of loss a realized threat could have on a certain asset.
- Annualized rate of occurrence (ARO) – It is the value that represents the estimated frequency of a specific threat taking place within a one-year timeframe. It can range from 0.0 to 1.0.
- The Relation
- Asset value * exposure factor (EF) = SLE
- Example: If a data warehouse has the asset value of $150,000, and if it is estimated that if a fire were to occur, 25 percent of the warehouse would be damaged, then SLE =0.25*$150000=$37,500.
- SLE * Annualized rate of occurrence (ARO) = ALE. If ARO is 0.1 (indicating once in ten years), then the ALE =$37,500* 0.1 = $3750. This tells the company that if it wants to put in controls or safeguards to protect the asset from this threat, it can sensibly spend $3750 or less per year to provide the necessary level of protection.
- Asset value * exposure factor (EF) = SLE
Results of a Quantitative Risk Analysis
The following is a short list of what generally is expected from the results of a risk analysis
- Monetary values assigned to assets
- Comprehensive list of all possible and significant threats
- Probability of the occurrence rate of each threat
- Loss potential the company can endure per threat in a 12-month time span
- Recommended safeguards, countermeasures, and actions analysis.
- Requires more complex calculations
- Is easier to automate and evaluate
- Used in risk management performance tracking
- Provides credible cost/benefit analysis
- Shows clear-cut losses that can be accrued within one year's time
- Calculations are more complex. Can management understand how these values were derived?
- Without automated tools, this process is extremely laborious.
- Big need to gather detailed information about environment.
- Standards are not available. Each vendor has its own way of interpreting the processes and their results.
A Qualitative Approach to Risk Analysis 
- In Qualitative approach, we walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures.
- The Qualitative analysis techniques include judgment, best practices, intuition, and experience.
- Qualitative Risk Analysis Techniques
- Delphi -A group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result to a particular threat will be. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.
- Focus groups
- One-on-One meetings
- The risk analysis team will determine the best technique for the threats that need to be assessed and the culture of the company and individuals involved with the analysis.
- The team that is performing the risk analysis gathers personnel who have experience and education on the threats being evaluated. When this group is presented with a scenario that describes threats and loss potential, each member responds with their gut feeling and experience on the likelihood of the threat and the extent of damage that may result.
|Personnel||Severity of Threat||Probability of Threat||Potential Loss||Effectiveness of Firewall||Effectiveness of IDS|
- Requires simple calculations
- Involves high degree of guesswork
- Provides general areas and indications of risk
- Provides the opinions of the individuals who know the processes best
- The assessments and results are basically subjective.
- Usually eliminates the opportunity to create a dollar value for cost/benefit discussions.
- Difficult to track risk management objectives with subjective measures.
- Standards are not available. Each vendor has its own way of interpreting the processes and their results.
Selecting and Implementing a Countermeasure 
- A security countermeasure should be cost effective and should be decided based on some cost/benefit analysis.
- A commonly used cost/benefit calculation for a given safe guard is:
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
Functionality and Effectiveness of Countermeasures
The following shows some of the characteristics to be considered before committing for a safeguard mechanism
|Modular in nature||It can be installed or removed from an environment without adversely affecting other mechanisms.|
|Provides uniform protection||A security level is applied to all mechanisms it is designed to protect in a standardized method.|
|Provides override functionality||An administrator can override the restriction if necessary.|
|Defaults to least privilege||When installed, it defaults to a lack of permissions and rights instead of installing with everyone having full control.|
|Independence of safeguard and the asset it is protecting||The safeguard can be used to protect different assets, and different assets can be protected by different safeguards.|
|Flexibility and security||The more security the safeguard provides, the better. This functionality should come with flexibility, which enables you
to choose different functions instead of all or none.
|Clear distinction between user and administrator||A user should have fewer permissions when it comes to configuring or disabling the protection mechanism.|
|Minimum human intervention||When humans have to configure or modify controls, this opens the door to errors. The safeguard should require the least
amount of input from humans as possible.
|Easily upgraded||Software continues to evolve, and updates should be able to happen painlessly.|
|Auditing functionality||There should be a mechanism that is part of the safeguard that provides minimum and/or verbose auditing.|
|Minimizes dependence on other components||The safeguard should be flexible and not have strict requirements about the environment into which it will be installed.|
|Easily usable, acceptable, and tolerated by personnel||If the safeguards provide barriers to productivity or add extra steps to simple tasks, users will not tolerate it.|
|Must produce output in usable and understandable format||Important information should be presented in a format easy for humans to understand and use for trend analysis.|
|Must be able to reset safeguard||The mechanism should be able to be reset and returned to original configurations and settings without affecting the system or asset it is protecting.|
|Testable||The safeguard should be able to be tested in different environments under different situations.|
|Does not introduce other compromises||The safeguard should not provide any covert channels or back doors.|
|System and user performance||System and user performance should not be greatly affected.|
|Proper alerting||Thresholds should be able to be set as to when to alert personnel of a security breach, and this type of alert should
|Does not affect assets||The assets in the environment should not be adversely affected by the safeguard.|
Determination of Likelihood
Determination of Impact
Determination of Risk
Information Classification 
- After identifying the information to be protected, it is necessary to classify the information and organize it according to its sensitivity to loss, disclosure or unavailability.
- The primary purpose of data classification is to indicate the protection level of confidentiality, Integrity and Availability required for each type of dataset.
- Data classification helps to ensure that the data is protected in the most cost-effective manner.
- Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed.
Classification Types 
|Classification||Definition||Examples||Organization That Would Use This|
|Public||• Disclosure is not welcome, but it would not cause an adverse impact to company or personnel.||• How many people are working on a specific project • Upcoming projects||Commercial business|
|Sensitive||• Requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized
modification or deletion. • Requires higher than normal assurance of accuracy and |completeness.
|• Financial information • Details of projects • Profit earnings and forecasts||Commercial business|
|Private||• Personal information for use within a company. • Unauthorized disclosure could adversely affect personnel. or company||• Work history • Human resources information • Medical information||Commercial business|
|Confidential||• For use within the company only. • Data that is exempt from disclosure under the Freedom of Information Act or other laws and regulations. • Unauthorized disclosure could seriously affect a company.||• Trade secrets • Health care information • Programming code • Information that keeps a company competitive||Commercial business / Military|
|Unclassified||• Data is not sensitive or classified.||• Computer manual and warranty information • Recruiting information||Military|
|Sensitive but unclassified (SBU)||• Minor secret. • If disclosed, it could cause serious damage.||• Medical data • Answers to test scores||Military|
|Secret||• If disclosed, it could cause serious damage to national security.||• Deployment plans for troops • Nuclear bomb placement||Military|
|Top secret||• If disclosed, it could cause grave damage to national security.||• Blueprints of new wartime weapons • Spy satellite information • Espionage data||Military|
Guidelines for Information Classification 
- The classification should neither be a long list nor be too restrictive and detailed-oriented.
- Each classification should be unique and should not have any overlappings.
- The classification process should outline how information and applications are and handled throughout their life cycle.
Criteria for Information Classification 
- Usefulness of data
- Value of data
- Age of data
- The level of damage that could be caused if the data were disclosed
- The level of damage that could be caused if the data were modified or corrupted
- Legal, regulatory, or contractual responsibility to protect the data
- Effects the data has on national security
- Who should be able to access the data
- Who should maintain the data
- Where the data should be kept
- Who should be able to reproduce the data
- What data requires labels and special marking
- Whether encryption is required for the data
- Whether separation of duties is required
- Which Backup Strategy is appropriate
- Which Recovery Strategy is appropriate
Security Note: An organization needs to make sure that whoever is backing up classified data--and whoever has access to backed-up data--has the necessary clearance level. A large security risk can be introduced if low-end technicians with no security clearance can have access to this information during their tasks.
Data Classification Procedures 
The following outlines the necessary steps for a proper classification program:
- Define classification levels.
- Specify the criteria that will determine how data is classified.
- Have the data owner indicate the classification of the data she is responsible for.
- Identify the data custodian who will be responsible for maintaining data and its security level.
- Indicate the security controls, or protection mechanisms, that are required for each classification level.
- Document any exceptions to the previous classification issues.
- Indicate the methods that can be used to transfer custody of the information to a different data owner.
- Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian.
- Indicate termination procedures for declassifying the data.
- Integrate these issues into the security-awareness program so that all employees understand how to handle data at different classification levels.
Classification Controls 
The type of control implemented per classification depends upon the level of protection that management and the security team have determined is needed. Some of the controls are :
- Strict and granular access control for all levels of sensitive data and programs
- Encryption of data while stored and while in transmission
- Auditing and monitoring (determine what level of auditing is required and how long logs are to be retained)
- Separation of duties (determine whether two or more people need to be involved in accessing sensitive information to protect against fraudulent activities; if so, define and document procedures)
- Periodic reviews (review classification levels, and the data and programs that adhere to them, to ensure that they are still in alignment with business needs; data or applications may also need to be reclassified or declassified, depending upon the situation)
- Backup and recovery procedures (define and document)
- Change control procedures (define and document)
- File and file system access permissions (define and document)
Ethics is the field of study concerned with questions of value, that is,judgments about what type of human behavior is “good” or “bad” in any given situation. Ethics are the standards, values, morals, principles, etc.,on which to base one's decisions or actions; often, there is no clear “right” or “wrong” answer.
Basic Concepts 
The term "computer ethics" is open to interpretations both broad and narrow.
- On the narrow side, computer ethics might be understood as the efforts of professional philosophers to apply traditional ethical theories like utilitarianism, Kantianism, or virtue ethics to issues regarding the use of computer technology.
- On the broad side, it can be understood as a standards of professional practice, codes of conduct, aspects of computer law, public policy, corporate ethics--even certain topics in the sociology and psychology of computing
Professional Code of Ethics 
Certified professionals, including those holding the CISSP, are held morally,and sometimes legally, to a higher standard of ethical behavior. In promoting proper computing behavior within the industry and the confines of our corporate boundaries, professionals should incorporate ethics into their organizational policies and awareness programs.
Several organizations have addressed the issue of ethical behavior through ethics guidelines. These include organizations such as
- The Computer Ethics Institute,
- The Internet Activities Board,
- The International Computer Security Association,
- The Information Systems Security Association, and
- The (ISC)2 Code of Ethics.
Computer Ethics Institute 
The CEI Ten Commandments of Computer Ethics
- Thou shalt not use a computer to harm other people.
- Thou shalt not interfere with other people's computer work.
- Thou shalt not snoop around in other people's computer files.
- Thou shalt not use a computer to steal.
- Thou shalt not use a computer to bear false witness.
- Thou shalt not copy or use proprietary software for which you have not paid.
- Thou shalt not use other people's computer resources without authorization or proper compensation.
- Thou shalt not appropriate other people's intellectual output.
- Thou shalt think about the social consequences of the program you are writing or the system you are designing.
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
Internet Architecture Board 
The Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering, and management. It is an independent committee of researchers and professionals with a technical interest in the health and evolution of the Internet.
- IAB has two principal subsidiary task forces:
- The Internet Engineering Task Force (IETF) and
- The Internet Research Task Force (IRFT).
The IAB issues ethics-related statements concerning the use of the Internet.It considers the Internet to be a resource that depends upon availability and accessibility to be useful to a wide range of people. It is mainly concerned with irresponsible acts on the Internet that could threaten its existence or negatively affect others. It sees the Internet as a great gift and works hard to protect it for all who depend upon it. IAB sees the use of the Internet as a privilege, which should be treated as such and used with respect.
- IAB considers the following acts as unethical and unacceptable behavior:
- Purposely seeking to gain unauthorized access to Internet resources
- Disrupting the intended use of the Internet
- Wasting resources (people, capacity, and computers) through purposeful actions
- Destroying the integrity of computer-based information
- Compromising the privacy of others
- Conducting Internet-wide experiments in a negligent manner
The (ISC)2Code of Ethics 
All information systems security professionals who are certified by (ISC)2 recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all Certified Information Systems Security Professionals (CISSPs) commit to fully support this Code of Ethics. CISSPs who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification.
Code of Ethics Preamble:
- Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this code is a condition of certification.
Code of Ethics Canons:
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
The Code of Ethics
- Protect society, the commonwealth, and the infrastructure
- Promote and preserve public trust and confidence in information and systems.
- Promote the understanding and acceptance of prudent information security measures.
- Preserve and strengthen the integrity of the public infrastructure.
- Discourage unsafe practice.
- Act honorably, honestly, justly, responsibly, and legally
- Tell the truth; make all stakeholders aware of your actions on a timely basis.
- Observe all contracts and agreements, express or implied.
- Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order.
- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
- When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.
- Provide diligent and competent service to principals
- Preserve the value of their systems, applications, and information.
- Respect their trust and the privileges that they grant you.
- Avoid conflicts of interest or the appearance thereof.
- Render only those services for which you are fully competent and qualified.
- Advance and protect the profession
- Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession.
- Take care not to injure the reputation of other professionals through malice or indifference.
- Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others.
Example Topics in Computer Ethics 
Computers in the Workplace 
Computers posing threat to Traditional Jobs
As a "universal tool" that can, in principle, perform almost any task, computers obviously pose a threat to jobs.
- Although computers occasionally need repair, they don't require sleep, they don't get tired, they don't go home ill or take time off for rest and relaxation. At the same time, computers are often far more efficient than humans in performing many tasks. Therefore, economic incentives to replace humans with computerized devices are very high.
- In the industrialized world many workers already have been replaced by computerized devices and even professionals like medical doctors, lawyers, teachers, accountants and psychologists are finding that computers can perform many of their traditional professional duties quite effectively.
- The employment outlook, however, is not all bad. In the short run, computer-generated unemployment will be an important social problem; but in the long run, information technology will create many more jobs than it eliminates.
- Even when a job is not eliminated by computers, it can be radically altered by "de-skilling" the workers and turning them into passive observers and button pushers.
Health and Safety at Workplace
- Another workplace issue concerns health and safety. According to Forester and Morrison, when information technology is introduced into a workplace, it is important to consider likely impacts upon health and job satisfaction of workers who will use it. It is possible, for example, that such workers will feel stressed trying to keep up with high-speed computerized devices -- or they may be injured by repeating the same physical movement over and over -- or their health may be threatened by radiation emanating from computer monitors. These are just a few of the social and ethical issues that arise when information technology is introduced into the workplace.
Computer Crime 
Security Aspects behind the Crime
In this era of computer "viruses" and international spying by "hackers" who are thousands of miles away, it is clear that computer security is a topic of concern in the field of Computer Ethics. The problem is not so much the physical security of the hardware (protecting it from theft, fire, flood, etc.), but rather "logical security", which according to Spafford, Heaphy and Ferbrache are divide into five aspects:
- Privacy and confidentiality
- Integrity -- assuring that data and programs are not modified without proper authority
- Unimpaired service
- Consistency -- ensuring that the data and behavior we see today will be the same tomorrow
- Controlling access to resources
Malicious kinds of software, or "programmed threats", provide a significant challenge to computer security. These include
- viruses, which cannot run on their own, but rather are inserted into other computer programs;
- worms which can move from machine to machine across networks, and may have parts of themselves running on different machines;
- Trojan horses which appear to be one sort of program, but actually are doing damage behind the scenes;
- logic bombs which check for particular conditions and then execute when those conditions arise; and
- bacteria or rabbits which multiply rapidly and fill up the computer's memory.
Trusted Persons vs Hackers
- Computer crimes, such as embezzlement or planting of logic bombs, are normally committed by trusted personnel who have permission to use the computer system. Computer security, therefore, must also be concerned with the actions of trusted computer users.
- Hackers breaks into someone's computer system without permission. Some hackers intentionally steal data or commit vandalism, while others merely "explore" the system to see how it works and what files it contains. These "explorers" often claim to be benevolent defenders of freedom and fighters against rip-offs by major corporations or spying by government agents. These self-appointed vigilantes of cyberspace say they do no harm, and claim to be helpful to society by exposing security risks. However every act of hacking is harmful, because any known successful penetration of a computer system requires the owner to thoroughly check for damaged or lost data and programs. Even if the hacker did indeed make no changes, the computer's owner must run through a costly and time-consuming investigation of the compromised system.
Privacy and Anonymity 
The Privacy Concern
Privacy is one of the earliest computer ethics topics to arouse public interest.
- The ease and efficiency with which computers and computer networks can be used to gather, store, search, compare, retrieve and share personal information make computer technology especially threatening to anyone who wishes to keep various kinds of "sensitive" information (e.g., medical records) out of the public domain or out of the hands of those who are perceived as potential threats.
Factors exposing the Privacy
Some of the factors that increases the concern of Privacy are
- Commercialization and rapid growth of the internet;
- The rise of the world-wide-web;
- Increasing "user-friendliness" of Computers and Applications
- Processing power of computers;
- Decreasing costs of computer technology
- Data-mining and data matching,
- Recording of "click trails" on the web etc.
Anonymity on the internet is sometimes discussed in the same context with questions of privacy on the internet, because anonymity can provide many of the same benefits as privacy.For example, if someone is using the internet to obtain medical or psychological counseling, or to discuss sensitive topics (for example, AIDS), anonymity can afford protection similar to that of privacy. Similarly, both anonymity and privacy on the internet can be helpful in preserving human values such as security, mental health, self-fulfillment and peace of mind. Unfortunately, privacy and anonymity also can be exploited to facilitate unwanted and undesirable computer-aided activities in cyberspace, such as money laundering, drug trading, terrorism, or preying upon the vulnerable.
Intellectual Property 
One of the more controversial areas of computer ethics concerns the intellectual property rights connected with software ownership.
- Some people, like Richard Stallman who started the Free Software Foundation, believe that software hoarding should not be allowed at all. He claims that all programs distributed to the public should be free, and all programs distributed to the public should be available for copying, studying and modifying by anyone who wishes to do so.
- Some argue that software companies or programmers would not invest weeks and months of work and significant funds in the development of software if they could not get the investment back in the form of license fees or sales.
- Today's software industry is a multibillion dollar part of the economy; and software companies claim to lose billions of dollars per year through illegal copying ("software piracy").
- Many people think that software should be ownable, but "casual copying" of personally owned programs for one's friends should also be permitted.
- The software industry claims that millions of dollars in sales are lost because of such copying. Ownership is a complex matter, since there are several different aspects of software that can be owned and three different types of ownership: copyrights, trade secrets, and patents. One can own the following aspects of a program:
- The "source code" which is written by the programmer(s) in a high-level computer language like Java or C++.
- The "object code", which is a machine-language translation of the source code.
- The "algorithm", which is the sequence of machine commands that the source code and object code represent.
- The "look and feel" of a program, which is the way the program appears on the screen and interfaces with users.
- A very controversial issue today is owning a patent on a computer algorithm.
- A patent provides an exclusive monopoly on the use of the patented item, so the owner of an algorithm can deny others use of the mathematical formulas that are part of the algorithm.
- Mathematicians and scientists are outraged, claiming that algorithm patents effectively remove parts of mathematics from the public domain, and thereby threaten to cripple science.
- Running a preliminary "patent search" to make sure that your "new" program does not violate anyone's software patent is a costly and time-consuming process. As a result, only very large companies with big budgets can afford to run such a search. This effectively eliminates many small software companies, stifling competition and decreasing the variety of programs available to the society.
Professional Responsibility 
Computer professionals have specialized knowledge and often have positions with authority and respect in the community. Along with such power to change the world comes the duty to exercise that power responsibly. Computer professionals find themselves in a variety of professional relationships with other people including:
- employer -- employee
- client -- professional
- professional -- professional
- society -- professional
These relationships involve a diversity of interests, and sometimes these interests can come into conflict with each other. Responsible computer professionals, therefore, will be aware of possible conflicts of interest and try to avoid them.
Professional organizations like the Association for Computing Machinery (ACM) and the Institute of Electrical and Electronic Engineers (IEEE), also have established codes of ethics, curriculum guidelines and accreditation requirements to help computer professionals understand and manage ethical responsibilities.
Computer ethics today is rapidly evolving into a broader and even more important field, which might reasonably be called "global information ethics".
For the first time in the history of the earth, ethics and values are debated and transformed in a context that is not limited to a particular geographic region, or constrained by a specific religion or culture. This may very well be one of the most important social developments in history but some of the issues like Global Laws, Global Cyberbusiness, Global Education, Information Rich and Information Poor etc. are a growing concern for the networked world.
Common Computer Ethics Fallacies 
The lack of early, computer-oriented childhood rearing and conditioning has led to several pervasive fallacies. The generation of computer users includes those from 7 to 70 years old who use computing and other information technologies. Like all fallacies, some people are heavily influenced by them, and some are less so. Some of the common fallacies which are probably the most important are
- The Computer Game Fallacy
- The Law-Abiding Citizen Fallacy
- The Shatterproof Fallacy
- The Candy-from-a-Baby Fallacy
- The Hacker's Fallacy
- The Free Information Fallacy
Hacking and Hacktivism 
A hacker is a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.
The Hacker Ethics 
The two most common but not widely accepted hacker ethics are
- The belief that information-sharing is a powerful positive good, and that it is an ethical duty of hackers to share their expertise by writing open-source code and facilitating access to information and to computing resources wherever possible.
- The belief that system-cracking for fun and exploration is ethically OK as long as the cracker commits no theft, vandalism, or breach of confidentiality.