Implementing security

TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
Implementing Security
Ray Trygstad
ITM 478/578
Spring 2004
Information Technology & Management Degree Programs
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003

ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives
Upon completion of this lesson the
student should be able to:
– Describe how the organization’s security
blueprint becomes a project plan
– Discuss the numerous organizational
considerations that must be addressed by
the project plan
– Discribe the significant role and
importance of the project manager in the
success of an information security project

ITM 578 3
Learning Objectives
Upon completion of this lesson the
student should be able to:
– Discuss the need for professional project
management for complex projects
– Describe technical strategies and models
for implementing the project plan
– Recognize nontechnical problems that
organizations face in times of rapid
change

ITM 578 4

ITM 578 5
Introduction
 In general the implementation phase is
accomplished by changing the configuration
and operation of the organization’s
information systems to make them more
secure.
 It includes changes to:
– Procedures (through policy)
– People (through training)
– Hardware (through firewalls)
– Software (through encryption)
– Data (perhaps through classification)

ITM 578 6
Introduction
During the implementation phase,
the organization translates its
blueprint for information security
into a concrete project plan
The project plan delivers instructions
to the individuals who are executing
the implementation

ITM 578 7
Introduction
 These instructions focus on the security
control changes needed to the hardware,
software, procedures, data, and people that
make up the organization’s information
systems
 But before a project plan can be developed,
management should have articulated and
coordinated the information security vision
and objectives involved in the execution of
the plan

ITM 578 8
Analyze
Physical Design
Implementa tion:
Implementing Security
Chapter 10
Logical Design
Maintain
FIG URE 10-1 Implementation Phase within the SecSDLC
Implementa tion:
Personnel & Security
Chapter 11
Implementation Phase

ITM 578 9
Project Management
Once the organization’s vision and
objectives are documented and
understood, the blueprint can be
turned into a project plan
The major steps in executing the
project plan are:
– Planning the project
– Supervising tasks and maintaining
control
– Wrapping up the project plan

ITM 578 10
Project Management
The project plan can be developed in
any number of ways
Each organization has to determine
its own project management
methodology for IT and information
security projects

ITM 578 11
Project Management
Whenever possible, information
security projects should follow the
organizational practices of project
management.
If your organization does not have
clearly defined project management
practices, the following general
guidelines on project management
practices can be applied

ITM 578 12
Developing the Project Plan
 Creation of a detailed project plan using a
simple planning tool, such as the work
breakdown structure (WBS)
– Common task attributes are:
• Work to be accomplished (activities and deliverables)
• Individuals (or skills set) assigned to perform the task
• Start and end dates for the task (when known)
• Amount of effort required for completion in hours or
work days
• Estimated capital expenses for the task
• Estimated non-capital expenses for the task
• Other tasks on which the task depends
– Each major task is then further divided into
either smaller tasks or specific action steps

ITM 578 13
Project Planning
 As the project plan is developed, adding
detail to the plan not always straightforward
 Special considerations include:
– financial
– priority
– time
– staff
– scope
– procurement
– organizational feasibility
– training and indoctrination
– change control and technology governance

ITM 578 14
Each major task is then further
divided into either smaller tasks or
specific action steps.
Key components of the project plan
are:
– Identify Work To Be Accomplished.
– Describe the skill set or individual
person needed to accomplish the task.
– Focus on determining only completion
dates for major milestones.

ITM 578 15
– Estimate the expected capital expenses
for the completion of this task, subtask,
or action item.
– Estimate the expected non-capital
expenses for the completion of the task,
subtask, or action item.
– Note wherever possible the
dependencies of other tasks or action
steps on the task or action step at hand.

ITM 578 16
Financial
No matter what information security
needs exist in the organization, the
amount of effort that can be expended
depends on the funds available
Cost-benefit analysis must be verified
prior to development of the project plan

ITM 578 17
Financial
Both public and private organizations
have budgetary constraints, albeit of a
different nature
To justify an amount budgeted for a
security project at either public or
for-profit organizations, it may be
useful to benchmark expenses of
similar organizations

ITM 578 18
Priority
 In general, the most important information
security controls should be scheduled first
 The implementation of controls is guided by
the prioritization of threats and the value of
the information assets threatened
 A control that costs a little more and is a
little lower on the prioritization list but
addresses many more specific vulnerabilities
and threats have higher priority than a less
expensive, higher priority component that
only addresses one particular vulnerability

ITM 578 19
Time and Scheduling
 Time is another constraint that has a broad
impact on the development of the project
plan
 Time can impact dozens of points in the
development of a project plan including the
following:
– time to order and receive a security control due to
backlogs of the vendor or manufacturer
– time to install and configure the control
– time to train the users
– time to realize the return on investment of the
control

ITM 578 20
Staffing
 The lack of enough qualified, trained, and
available personnel also constrains the
project plan
 Experienced staff is often needed to
implement available technologies and to
develop and implement policies and training
programs
 If no staff members are trained to configure
a firewall that is being purchased, someone
must be trained, or someone must be hired
who is experienced with that particular
technology

ITM 578 21
Scope
 It is unrealistic for an organization to install
all information security components at once
 In addition to the constraints of handling so
many complex tasks at one time, there are
the problems of interrelated conflicts
between the installation of information
security controls and the daily operations of
the organization
 The installation of new information security
controls may also conflict with existing
controls

ITM 578 22
Procurement
 All IT and information security planners
must consider the acquisition of goods and
services
 There are a number of constraints on the
selection process for equipment and services
in most organizations, specifically in the
selection of certain service vendors or
products from manufacturers and suppliers
 These constraints may change the specifics
of a particular technology or even eliminate
it from the realm of possibilities

ITM 578 23
Organizational Feasibility
Policies require time to develop and
new technologies require time to be
installed, configured, and tested
Employees need to understand how a
new program impacts their working
lives

ITM 578 24
Organizational Feasibility
The goal of the project plan is to avoid
new security components from directly
impacting the day-to-day operations of
the individual employees
Changes should be transparent to
users, unless the new technology
causes changes to procedures, such as
requiring additional authentication or
verification

ITM 578 25
Training and Indoctrination
The size of the organization and the
normal conduct of business may
preclude a single large training
program
As a result, the organization should
conduct a phased in or pilot approach
to implementation, such as “roll-out”
training for one department at a time

ITM 578 26
Training and Indoctrination
In the case of policies, it may be
sufficient to brief all supervisors on
new policy and then have the
supervisors update end users in
normal meetings
Ensure that compliance documents
are also distributed, requiring all
employees to read, understand, and
agree to the new policies

ITM 578 27
Change Control & Technology Governance
In organizations that have IT
infrastructures of significant size, the
change control and technology
governance issues become essential

ITM 578 28
Project Management
Project management requires a unique
set of skills and a thorough
understanding of a broad body of
specialized knowledge
It is a realistic assumption that most
information security projects require a
trained project manager, CISO, or
skilled IT manager versed in project
management techniques to oversee the
project

ITM 578 29
Project Management
In addition, when selecting advanced
or integrated technologies or
outsourced services even experienced
project managers are advised to seek
expert assistance when engaging in a
formal bidding process

ITM 578 30
Supervising Implementation
Some organizations may designate a
champion from general management to
supervise the implementation of the
project plan
An alternative is to designate a senior
IT manager or the CIO of the
organization to lead the
implementation

ITM 578 31
Supervising Implementation
The optimal solution is to designate a
suitable person from the information
security community of interest, since
the inherent focus is on the
information security needs of the
organization
It is up to each organization to find
the leadership for a successful project
implementation

ITM 578 32
Executing the Plan
Using negative feedback loop to control
project execution:
– Progress is measured periodically
– Measured results are compared against
expected results
– When significant deviation occurs,
corrective action taken
•When corrective action is required either the
estimate was flawed or performance has lagged

ITM 578 33
Executing the Plan
– When an estimate is flawed the plan should be
corrected and downstream tasks updated to reflect
the change
– When performance has lagged add resources,
lengthen the schedule, or reduce the quality or
quantity of the deliverables
•The decisions are usually expressed in terms
of trade-offs
•Often a project manager can adjust one of the
three planning parameters

ITM 578 34
Negative Feedback Loop
FIGURE 10-2 Negative Feedback Loop
Plan is developedPlan is developed
WorkWork
Progress is measuredProgress is measured
Corrective actionCorrective action
Complete?Complete?
Project isProject is
completecomplete
On target?On target?
YesYes
YesYes
NoNo
NoNo

ITM 578 35
Executing the Plan
When corrective action is required,
there are two basic situations: either
the estimate was flawed or
performance has lagged
When an estimate is flawed, for
example a faulty estimate for effort
hours is discovered, the plan should
be corrected and downstream tasks
updated to reflect the change

ITM 578 36
Executing the Plan
When performance has lagged, for
example due to high turnover of
skilled employees, correction is
required by adding resources,
lengthening the schedule, or by
reducing the quality or quantity of
the deliverable

ITM 578 37
Technical Topics of Implementation
Some parts of the implementation
process are technical in nature,
dealing with the application of
technology, while others are not,
dealing instead with the human
interface to technical systems

ITM 578 38
Executing the Plan
Decisions are usually expressed in
terms of trade-offs
Often a project manager can adjust
one of the three planning parameters
for the task being corrected:
– Effort and money allocated
– Elapsed time or scheduling impact
– Quality or quantity of the deliverable

ITM 578 39
Wrap-up
 Project wrap-up is usually handled as a
procedural task assigned to a mid-level IT or
information security manager
 These managers collect documentation,
finalize status reports, and deliver a final
report and a presentation at a wrap-up
meeting
 The goal of the wrap-up is to resolve any
pending issues, critique the overall effort of
the project, and draw conclusions about how
to improve the process for the future

ITM 578 40
Conversion Strategies
As the components of the new
security system are planned,
provisions must be made for the
changeover from the previous
method of performing a task to
the new methods

ITM 578 41
Conversion Strategies
– Direct changeover: also known as
going “cold turkey,” involves stopping
the old method and beginning the new.
– Phase implementation: the most
common approach, involves rolling out a
piece of the system across the entire
organization.

ITM 578 42
Conversion Strategies (continued)
– Pilot implementation: involves
implementing all security improvements
in a single office, department, or
division, and resolving issues within
that group before expanding to the rest
of the organization.
– Parallel operations: involve running
the new methods alongside the old
methods.

ITM 578 43
The Bull’s-Eye Model
 By reviewing the information security
blueprint and the current state of the
organization’s information security efforts
in terms of the four layers of the bulls-eye
model, project planners can find guidance
about where to lobby for expanded
information security capabilities
 This approach relies on a process of
evaluating project plans in a progression
through four layers: policy, network,
systems and applications

ITM 578 44
 Use the blueprint and the current state of
information security efforts and the four
layers of the bull’s-eye model, to find
guidance about where to focus - progressing
through policy, networks, systems, and
applications.
– Sound and useable IT and information security
policy comes first
– Network controls are designed and deployed next
– Information, process, and manufacturing
systems of the organization are secured next
– Assessment and remediation of the security of
the organization’s applications is the final step

ITM 578 45
FIGURE 10-3 The Bull’s-Eye Model
PoliciesPolicies
NetworksNetworks
SystemsSystems
ApplicationsApplications

ITM 578 46
To Outsource or Not
 Just as some organizations outsource IT
operations, organizations can outsource part
or all of their information security programs
 When an organization has outsourced IT
services, information security should be part
of the contract arrangement with the
outsourcer
 Because of the complex nature of
outsourcing, the best advice is to hire the
best outsourcing specialists, and then have
the best attorney possible negotiate and
verify the legal and technical intricacies of
the outsourcing contract

ITM 578 47
Technology Governance & Change Control
Other factors that determine the
success of an organization’s IT and
information security are technology
governance and change control
processes
Technology governance is a complex
process that an organization uses to
manage the impacts and costs caused
by technology implementation,
innovation, and obsolescence

ITM 578 48
Technology governance also
facilitates the communication about
technical advances and issues across
the organization
Medium or large organizations deal
with the impact of technical change
on the operation of the organization
through a change control process

ITM 578 49
 By managing the process of change:
– Improve communication about change
– Enhance coordination between organizational
groups as change is scheduled and completed
– Reduce unintended consequences by having a
process to resolve potential conflict and
disruption
– Improve quality of service as potential failures
are eliminated and groups work together
– Assure management that all groups are
complying with the organization’s policies
regarding technology governance, procurement,
accounting, and information security

ITM 578 50
Nontechnical Topics of Implementation
Other parts of the implementation
process are not technical in nature,
dealing with the human interface to
technical systems
These include the topics of creating a
culture of change management as well
as some considerations for
organizations facing change

ITM 578 51
Culture of Change
The prospect of change can cause
employees to unconsciously or
consciously resist
The stress of change can increase the
probability of mistakes or create
vulnerabilities
Resistance to change can be lowered by
building resilience for change

ITM 578 52
Culture of Change
One of the oldest models of making
change is the Lewin change model:
– Unfreezing: “thawing out” hard and
fast habits and established procedures.
– Moving: the transition between the old
way and the new.
– Refreezing: the integration of the new
methods into the organizational culture.

ITM 578 53
Considerations in Change
In order to make an organization
more amenable to change, some steps
can be taken:
– reducing resistance to change from the
beginning of the planning process
– steps taken to modify the organization
to be more accepting of change

ITM 578 54
Reducing Resistance
 The more ingrained the previous methods
and behaviors, the more difficult the change
 The primary mechanism used to overcome
this resistance to change is to improve the
interaction between the affected members of
the organization and the project planners in
the earlier phases of the SecSDLC
 The guideline to improve this interaction is a
three-step process:
– communicate
– educate
– involve

ITM 578 55
Developing Support for Change
 The best situation is an organization with a
culture that is beyond low resistance to
change but fosters resilience for change
 This resilience means the organization has
come to expect that change is a necessary
part of organizational culture, and that to
embrace change is more productive than
fighting it
 To develop such a culture the organization
must successfully accomplish many projects
that require change

ITM 578 56
The End…
Questions?

Implementing security

More Related Content

What's hot (20)

Viewers also liked (9)

Similar to Implementing security (20)

More from Dhani Ahmad (20)

Recently uploaded (20)

Implementing security

Editor's Notes