Chapter 8 Administering Security Planning u Risk Analysis

Chapter 8 – Administering Security Planning u Risk Analysis u Security Policies u Physical Security u

Security Planning Policy u Current state – risk analysis u Requirements u Recommended controls u Accountability u Timetable u Continuing attention u

Security Planning - Policy Who should be allowed access? u To what system and organizational resources should access be allowed? u What types of access should each user be allowed for each resource? u

Security Planning - Policy What are the organization’s goals on security? u Where does the responsibility for security lie? u What is the organization’s commitment to security? u

OCTAVE Methodology http: //www. cert. org/octave/ u u u u Identify enterprise knowledge. Identify operational area knowledge. Identify staff knowledge. Establish security requirements. Map high-priority information assests to information infrastructure. Perform an infrastructure vulnerability evaluation. Conduct a multidimensional risk analysis. Develop a protection strategy.

Security Planning – Requirements of the TCSEC u u u Security Policy – must be an explicit and welldefined security policy enforced by the system. Every subject must be uniquely and convincingly identified. Every object must be associated with a label that indicates its security level. The system must maintain complete, secure records of actions that affect security. The computing system must contain mechanisms that enforce security. The mechanisms that implement security must be protected against unauthorized change.

Security Planning Team Members Computer hardware group u System administrators u Systems programmers u Application programmers u Data entry personnel u Physical security personnel u Representative users u

Security Planning u u Assuring Commitment to a Security Plan Business Continuity Plans • • • u Assess Business Impact Develop Strategy Develop Plan Incident Response Plans • • • Advance Planning Response Team After the Incident is Resolved