Information Assurance And Security - Chapter 1 - Lesson 4

Principles of Information Security,
Fifth Edition
Chapter 1
Introduction to Information Security
Lesson 4 – Software Design
Principles

Learning Objectives
Upon completion of this lesson, you should be
able to:
- Describe the information security roles of
professionals within an organization
PRINCIPLES OF INFORMATION SECURITY, FIFTH EDITION 2

Software Design Principles
Software development leaders J. H. Saltzer and M.
D. Schroeder first identified security principles:
◦ Economy of mechanism
◦ Fail-safe defaults
◦ Complete mediation
◦ Open design
◦ Separation of privilege
◦ Least privilege
◦ Least common mechanism
◦ Psychological acceptability

The NIST Approach to Securing
the SDLC
NIST Special Publication 800-64 rev. 2 maintains
that early integration of security in the SDLC
enables agencies to maximize return on investment
through:
◦ Early identification and mitigation of security
vulnerabilities and misconfigurations
◦ Awareness of potential engineering challenges
◦ Identification of shared security services and reuse of
security strategies and tools
◦ Facilitation of informed executive decision making

The NIST Approach: Initiation
Security at this point is looked at in terms of
business risks, with information security office
providing input.
Key security activities include:
◦ Delineation of business requirements in terms of
confidentiality, integrity, and availability
◦ Determination of information categorization and
identification of known special handling requirements to
transmit, store, or create information
◦ Determination of any privacy requirements

The NIST Approach:
Development/Acquisition
◦Conducting risk assessment and using
results to supplement baseline security
controls
◦Analyzing security requirements
◦Performing functional and security testing
◦Preparing initial documents for system
certification and accreditation
◦Designing security architecture

The NIST Approach:
Implementation/Assessment
System is installed and evaluated in
operational environment.
◦ Integrating information system into its
environment
◦ Planning and conducting system certification
activities in synchronization with testing of
security controls
◦ Completing system accreditation activities

The NIST Approach: Operations
and Maintenance
Systems are in place and operating, enhancements and/or
modifications to the system are developed and tested, and
hardware and/or software are added or replaced.
◦ Conducting operational readiness review
◦ Managing configuration of system
◦ Instituting process and procedure for assured operations
and continuous monitoring of information system’s
security controls
◦ Performing reauthorization as required
PRINCIPLES OF INFORMATION SECURITY, FIFTH EDITION
8

The NIST Approach: Disposal
Provides for disposal of system and
closeout of any contracts in place
◦Building and executing disposal/transition
plan
◦Archival of critical information
◦Sanitization of media
◦Disposal of hardware and software

Security Professionals and the
Organization
Wide range of professionals are
required to support a diverse
information security program.
Senior management is the key
component.
Additional administrative support and
technical expertise are required to
implement details of IS program.

Senior Management
Chief information officer (CIO)
◦ Senior technology officer
◦ Primarily responsible for advising the senior
executives on strategic planning
Chief information security officer (CISO)
◦ Has primary responsibility for assessment,
management, and implementation of IS in the
organization
◦ Usually reports directly to the CIO

Information Security Project
Team
A small functional team of people who are
experienced in one or multiple facets of required
technical and nontechnical areas:
◦ Champion
◦ Team leader
◦ Security policy developers
◦ Risk assessment specialists
◦ Security professionals
◦ Systems administrators
◦ End users
13

Data Responsibilities
Data owners: senior management
responsible for the security and use of a
particular set of information
Data custodian: responsible for information
and systems that process, transmit, and
store it
Data users: individuals with an information
security role

Communities of Interest
Group of individuals united by similar
interests/values within an organization
◦ Information security management and
professionals
◦ Information technology management and
professionals
◦ Organizational management and professionals

Information Security: Is It an
Art or a Science?
Implementation of information security is
often described as a combination of art and
science.
“Security artisan” idea: based on the way
individuals perceive system technologists
and their abilities

Security as Art
No hard and fast rules nor many universally
accepted complete solutions
No manual for implementing security through
entire system
17

Security as Science
Dealing with technology designed for rigorous performance
levels
Specific conditions cause virtually all actions in computer
systems.
Almost every fault, security hole, and systems malfunction
is a result of interaction of specific hardware and software.
If developers had sufficient time, they could resolve and
eliminate faults.

Security as a Social Science
Social science examines the behavior of individuals
interacting with systems.
Security begins and ends with the people that
interact with the system, intentionally or
otherwise.
Security administrators can greatly reduce the
levels of risk caused by end users and create more
acceptable and supportable security profiles.

Information Assurance And Security - Chapter 1 - Lesson 4

More Related Content

What's hot (20)

Similar to Information Assurance And Security - Chapter 1 - Lesson 4 (20)

More from MLG College of Learning, Inc (20)

Recently uploaded (20)

Information Assurance And Security - Chapter 1 - Lesson 4