CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

of activities related to security controls and mechanisms. The resulting data is then used to identify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself. The means to provide this function is to deploy configuration management control or change management control. These mechanisms ensure that any alterations or changes to a system do not result in diminished security. Configuration/change management controls provide a process by which all system changes are tracked, audited, controlled, identified, and approved. It requires that all system changes undergo a rigorous testing procedure before being deployed onto the production environment. It also requires documentation of any changes to user work tasks and the training of any affected users. Configuration/change management controls should minimize the effect on security from any alteration to the system. They often provide a means to roll back a change if it is found to cause a negative or unwanted effect on the system or on security.

There are five steps or phases involved in configuration/change management control:

1.Applying to introduce a change

2.Cataloging the intended change

3.Scheduling the change

4.Implementing the change

5.Reporting the change to the appropriate parties

When a configuration/change management control solution is enforced, it creates complete documentation of all changes to a system. This provides a trail of information if the change needs to be removed. It also provides a roadmap or procedure to follow if the same change is implemented on other systems. When a change is properly documented, that documentation can assist administrators in minimizing the negative effects of the change throughout the environment.

Configuration/change management control is a mandatory element of the TCSEC ratings of B2, B3, and A1 but it is recommended for all other TCSEC rating levels. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or effected diminishments. Those in charge of change management should oversee alterations to every aspect of a system, including hardware configuration and system and application software. It should be included in design, development, testing, evaluation, implementation, distribution, evolution, growth, ongoing operation, and application of modifications. Change management requires a detailed inventory of every component and configuration. It also requires the collection and maintenance of complete documentation for every system component (including hardware and software) and for everything from configuration settings to security features.

Standards of Due Care and Due Diligence

Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization.

402 Chapter 13 Administrative Management

In today’s business environment, showing prudent due care and due diligence is the only way to disprove negligence in an occurrence of loss. Senior management must show reasonable due care and due diligence to reduce their culpability and liability when a loss occurs. Senior management could be responsible for monetary damages up to $290 million for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991.

Privacy and Protection

Privacy is the protection of personal information from disclosure to any unauthorized individual or entity. In today’s online world, the line between public information and private information is often blurry. For example, is information about your web surfing habits private or public? Can that information be gathered legally without your consent? And can the gathering organization sell that information for a profit that you don’t share in? However, your personal information includes more than information about your online habits; it also includes who you are (name, address, phone, race, religion, age, etc.), your health and medical records, your financial records, and even your criminal or legal records.

Dealing with privacy is a requirement for any organization that has people as employees. Thus, privacy is a central issue for all organizations. The protection of privacy should be a core mission or goal set forth in the security policy of an organization. Privacy issues are discussed at greater length in Chapter 17, “Law and Investigations.”

Legal Requirements

Every organization operates within a certain industry and country. Both of these entities impose legal requirements, restrictions, and regulations on the practices of organizations that fall within their realm. These legal requirements can apply to licensed use of software, hiring restrictions, handling of sensitive materials, and compliance with safety regulations. Complying with all applicable legal requirements is a key part of sustaining security. The legal requirements of an industry and of a country (and often of a state and city) should be considered the baseline or foundation upon which the remainder of the security infrastructure must be built.

Illegal Activities

Illegal activities are actions that violate a legal restriction, regulation, or requirement. They include fraud, misappropriation, unauthorized disclosure, theft, destruction, espionage, entrapment, and so on. A secure environment should provide mechanisms to prevent the committal of illegal activities and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes.

Preventative control mechanisms include identification and authentication, access control, separation of duties, job rotation, mandatory vacations, background screening, awareness training, least privilege, and many more. Detective mechanisms include auditing, intrusion detection systems, and more.

Record Retention

Record retention is the organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity. This may include file and resource access, logon patterns, e-mail, and the use of privileges. Note that in some legal jurisdictions, users must be made aware that their activities are being tracked.

Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability information. This allows for the main data backup system to periodically reuse its media without violating the requirement to retain audit trails and the like.

If data about individuals is being retained by your organization (such as a conditional employment agreement or a use agreement), the employees and customers need to be made aware of it. In many cases, the notification requirement is a legal issue; in others, it is simply a courtesy. In either case, it is a good idea to discuss the issue with appropriate legal counsel.

Sensitive Information and Media

Managing information and media properly—especially in a high-security environment in which sensitive, confidential, and proprietary data is processed—is crucial to the security and stability of an organization. Because the value of the stored data is momentous in comparison with the cost of the storage media, always purchase media of the highest quality. In addition to media selection, there are several key areas of information and media management: marking, handling, storage, life span, reuse, and destruction.

Marking and Labeling Media

The marking of media is the simple and obvious activity of clearly and accurately defining its contents. The most important aspect of marking is to indicate the security classification of the data stored on the media so that the media itself can be handled properly. Tapes with unclassified data do not need as much security in their storage and transport as do tapes with classified data.

Data labels should be created automatically and stored as part of the backup set on the media. Additionally, a physical label should be applied to the media and maintained for the lifetime of the media. Media used to store classified information should never be reused to store less-sensitive data.

Handling Media

Handling refers to the secured transportation of media from the point of purchase through storage and finally to destruction. Media must be handled in a manner consistent with the classification of the data it hosts. The environment within which media is stored can significantly affect its useful lifetime. For example, very warm environments or very dusty environments can cause damage to tape media, shortening its life span. Here are some useful guidelines for handling media:

Keep new media in its original sealed packaging until it’s needed to keep it isolated from the environment’s dust and dirt.

When opening a media package, take extra caution not to damage the media in any way. This includes avoiding sharp objects and not twisting or flexing the media.

media. It must be addressed upon every reuse in the same secure environment, upon every reuse in a different or less-secure environment, upon removal from service, and upon destruction. Addressing this issue can take many forms, including erasing, clearing, purging, declassification, sanitization, overwriting, degaussing, and destruction.

Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process only removes the directory or catalog link to the data. The actual data remains on the drive. The data will remain on the drive until it is overwritten by other data or properly removed from the media.

Clearing, or overwriting, is a process of preparing media for reuse and assuring that the cleared data cannot be recovered by any means. When media is cleared, unclassified data is written over specific locations or over the entire media where classified data was stored. Often, the unclassified data is strings of 1s and 0s. The clearing process typically prepares media for reuse in the same secure environment, not for transfer to other environments.

Purging is a more intense form of clearing that prepares media for reuse in less-secure environments. Depending on the classification of the data and the security of the environment, the purging process is repeated 7 to 10 times to provide assurance against data recovery via laboratory attacks.

Declassification involves any process that clears media for reuse in less-secure environments. In most cases, purging is used to prepare media for declassification, but most of the time, the efforts required to securely declassify media are significantly greater than the cost of new media for a less-secure environment.

Sanitization is any number of processes that prepares media for destruction. It ensures that data cannot be recovered by any means from destroyed or discarded media. Sanitization can also be the actual means by which media is destroyed. Media can be sanitized by purging or degaussing without physically destroying the media. Degaussing magnetic media returns it to its original pristine, unused state. Sanitization methods that result in the physical destruction of the media include incineration, crushing, and shredding.

Care should be taken when performing any type of sanitization, clearing, or purging process. It is possible that the human operator or the tool involved in the activity will not properly perform the task of removing data from the media. Software can be flawed, magnets can be faulty, and either can be used improperly. Always verify that the desired result is achieved after performing a sanitization process.

Destruction is the final stage in the life cycle of backup media. Destruction should occur after proper sanitization or as a means of sanitization. When media destruction takes place, you must ensure that the media cannot be reused or repaired and that data cannot be extracted from the destroyed media by any possible means. Methods of destruction can include incineration, crushing, shredding, and dissolving using caustic or acidic chemicals.

Security Control Types

There are several methods used to classify security controls. The classification can be based on the nature of the control, such as administrative, technical/logical, or physical. It can also be based on the action or objective of the control, such as directive, preventative, detective, corrective, and recovery. Some controls can have multiple action/objective classifications.

406 Chapter 13 Administrative Management

A directive control is a security tool used to guide the security implementation of an organization. Examples of directive controls include security policies, standards, guidelines, procedures, laws, and regulations. The goal or objective of directive controls is to cause or promote a desired result.

A preventive control is a security mechanism, tool, or practice that can deter or mitigate undesired actions or events. Preventive controls are designed to stop or reduce the occurrence of various crimes, such as fraud, theft, destruction, embezzlement, espionage, and so on. They are also designed to avert common human failures such as errors, omissions, and oversights. Preventative controls are designed to reduce risk. Although not always the most cost effective, they are preferred over detective or corrective controls from a perspective of maintaining security. Stopping an unwanted or unauthorized action before it occurs results in a more secure environment than detecting and resolving problems after they occur does. Examples of preventive controls include firewalls, authentication methods, access controls, antivirus software, data classification, separation of duties, job rotation, risk analysis, encryption, warning banners, data validation, prenumbered forms, checks for duplications, and account lockouts.

A detective control is a security mechanism used to verify whether the directive and preventative controls have been successful. Detective controls actively search for both violations of the security policy and actual crimes. They are used to identify attacks and errors so that appropriate action can be taken. Examples of detective controls include audit trails, logs, closed-circuit television (CCTV), intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclical redundancy checks (CRCs).

Corrective controls are instructions, procedures, or guidelines used to reverse the effects of an unwanted activity, such as attacks and errors. Examples of corrective controls include manuals, procedures, logging and journaling, incident handling, and fire extinguishers.

A recovery control is used to return affected systems back to normal operations after an attack or an error has occurred. Examples of recovery controls include system restoration, backups, rebooting, key escrow, insurance, redundant equipment, fault-tolerant systems, failover, checkpoints, and contingency plans.

Operations Controls

Operations controls are the mechanisms and daily procedures that provide protection for systems. They are typically security controls that must be implemented or performed by people rather than automated by the system. Most operations controls are administrative in nature, but they also include some technical or logical controls.

When possible, operations controls should be invisible or transparent to users. The less a user sees the security controls, the less likely they will feel that security is hampering their productivity. Likewise, the less users know about the security of the system, the less likely they will be able to circumvent it.

The operations controls for resource protection are designed to provide security for the resources of an IT environment. Resources are the hardware, software, and data assets that an organization’s IT infrastructure comprises. To maintain confidentiality, integrity, and availability of the hosted assets, the resources themselves must be protected. When designing

408 Chapter 13 Administrative Management

Other issues related to hardware controls include management of maintenance accounts and port controls. Maintenance accounts are predefined default accounts that are installed on hardware (and in software) and have preset and widely known passwords. These accounts should be renamed and a strong password assigned. Many hardware devices have diagnostic or configuration/console ports. They should be accessible only to authorized personnel, and if possible, they should disabled when not in use for approved maintenance operations.

Input and output controls are mechanisms used to protect the flow of information into and out of a system. These controls also protect applications and resources by preventing invalid, oversized, or malicious input from causing errors or security breaches. Output controls restrict the data that is revealed to users by restricting content based on subject classification and the security of the communication’s connection. Input and output controls are not limited to technical mechanisms; they can also be physical controls (for example, restrictions against bringing memory flashcards, printouts, floppy disks, CD-Rs, and so on into or out of secured areas).

Media controls are similar to the topics discussed in the section “Sensitive Information and Media” earlier in this chapter. Media controls should encompass the marking, handling, storage, transportation, and destruction of media such as floppies, memory cards, hard drives, backup tapes, CD-Rs, CD-RWs, and so on. A tracking mechanism should be used to record and monitor the location and uses of media. Secured media should never leave the boundaries of the secured environment. Likewise, any media brought into a secured environment should not contain viruses, malicious code, or other unwanted code elements, nor should that media ever leave the secured environment except after proper sanitization or destruction.

Operations controls include many of the administrative controls that we have already discussed numerous times, such as separation of duties and responsibilities, rotation of duties, least privilege, and so on.

Personnel Controls

No matter how much effort, expense, and expertise you put into physical access control and logical/technical security mechanisms, you will always have to deal with people. In fact, people are both your last line of defense and your worse security management issue. People are vulnerable to a wide range of attacks, plus they can intentionally violate security policy and attempt to circumvent physical and logical/technical security controls. Because of this, you must endeavor to employ only those people who are the most trustworthy.

Security controls to manage personnel are considered a type of administrative controls. These controls and issues should be clearly outlined in your security policy and followed as closely as possible. Failing to employ strong personnel controls may render all of your other security efforts worthless.

The first type of personnel controls are used in the hiring process. To hire a new employee, you must first know what position needs to be filled. This requires the creation of a detailed job description. The job description should outline the work tasks and responsibilities of the position, which will in turn dictate the access and privileges needed in the environment. Furthermore, the job description defines the knowledge, skill, and experience level required by the position. Only after the job description has been created is it possible to begin screening applicants for the position.

Summary 409

The next step in using personnel controls is selecting the best person for the job. In terms of security, this means the most trustworthy. Often trustworthiness is determined through background and reference checks, employment history verification, and education and certification verification. This process could even include credit checks and FBI background checks.

Once a person has been hired, personnel controls should be deployed to continue to monitor and evaluate their work. Personnel controls monitoring activity should be deployed for all employees, not just new ones. These controls can include access audit and review, validation of security clearances, periodic skills assessment, supervisory employee ratings, and supervisor oversight and review. Often companies will employ a policy of mandatory vacations in one or two week increments. Such a tool removes the employee from the environment and allows another cross-trained employee to perform their work tasks during the interim. This activity serves as a form of peer review, providing a means to detect fraud and collusion. At any time, if an employee is found to be in violation of security policy, they should be properly reprimanded and warned. If the employee continues to commit security policy violations, they should be terminated.

Finally, there are personnel controls that govern the termination process. When an employee is to be fired, an exit interview should be conducted. For the exit interview, the soon-to-be-released employee is brought to a manager’s office for a private meeting. This meeting is designed to remove them from their workspace and to minimize the effect of the firing activity on other employees. The meeting usually consists of the employee, a manager, and a security guard. The security guard acts as a witness and as a protection agent. The exit interview should be coordinated with the security administration staff so that just as the exit interview begins, the employee’s network and building access is revoked. During the exit interview, the employee is reminded of his legal obligations to comply with any nondisclosure agreements and not to disclose any confidential data. The employee must return all badges, keys, and other company equipment on their person. Once the exit interview is complete, the security guard escorts the terminated employee out of the facility and possibly even off of the grounds. If the ex-employee has any company equipment at home or at some other location, the security guard should accompany the ex-employee to recover those items. The purpose of an exit interview is primarily to reinforce the nondisclosure issue, but it also serves the purpose

of removing the ex-employee from the environment, having all access removed and devices returned, and preventing or minimizing any retaliatory activities because of the termination.

Summary

There are many areas of day-to-day operations that are susceptible to security breaches. Therefore, all standards, guidelines, and procedures should clearly define personnel management practices. Important aspects of personnel management include antivirus management and operations security.

Personnel management is a form of administrative control or administrative management. You must include clearly defined personnel management practices in your security policy and subsequent formalized security documentation. From a security perspective, personnel management focuses on three main areas: hiring practices, ongoing job performance, and termination procedures.

410 Chapter 13 Administrative Management

Operations security consists of controls to maintain security in an office environment from design to deployment. Such controls include hardware, media, and subject (user) controls that are designed to protect against asset threats. Because viruses are the most common form of security breach in the IT world, managing a system’s antivirus protection is one of the most important aspect of operations security. Any communications pathway, such as e-mail, websites, and documents, and even commercial software, can and will be exploited as a delivery mechanism for a virus or other malicious code. Antivirus management is the design, deployment, and maintenance of an antivirus solution for your IT environment.

Backing up critical information is a key part of maintaining the availability and integrity of data and an essential part of maintaining operations security. Having a reliable backup is the best form of insurance that the data on the affected system is not permanently lost.

Changes in a user’s workstation or their physical location within an organization can be used as a means to improve or maintain security. When a user’s workstation is changed, the user is less likely to alter the system or install unapproved software because the next person to use the system would most likely be able to discover it.

The concepts of need-to-know and the principle of least privilege are two important aspects of a high-security environment. A user must have a need-to-know to gain access to data or resources. To comply with the principle of least privilege, users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks.

Activities that require special access or privilege to perform within a secured IT environment are considered privileged operations functions. Such functions should be restricted to administrators and system operators.

Due care is performing reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization.

Another central issue for all organizations is privacy, which means providing protection of personal information from disclosure to any unauthorized individual or entity. The protection of privacy should be a core mission or goal set forth in an organization’s security policy.

It’s also important that an organization operate within the legal requirements, restrictions, and regulations of its country and industry. Complying with all applicable legal requirements is a key part of sustaining security.

Illegal activities are actions that violate a legal restriction, regulation, or requirement. Fraud, misappropriation, unauthorized disclosure, theft, destruction, espionage, and entrapment are all examples of illegal activities. A secure environment should provide mechanisms to prevent the committal of illegal activities and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes.

In a high-security environment where sensitive, confidential, and proprietary data is processed, managing information and media properly is crucial to the environment’s security and stability. There are four key areas of information and media management: marking, handling, storage, and destruction. Record retention is the organizational policy that defines what information is maintained and for how long. If data about individuals is being retained by your organization, the employees and customers need to be made aware of it.