La educación superior mediada por TIC desde el enfoque constructivista por lo visto que la diversidad del trabajo en el salón de clase y las múltiples condiciones de

Any information security program will consist of component parts, as shown in Figure 5.4, that implement the process of information security.

RISK ASSESSMENT

An information security risk assessment identifies and quantifies risk, thus serving as the basis for addressing risk. The risk assessment process requires creation of an initial security domain definition to set the scope of the assessment by acknowledging the span of control and relevant assets. This corresponds to the security architecture model (extended, perimeter, control, and resource layers) by defining physical and logical boundaries and tabulating assets at risk.

The security architecture definition is used to modularize the security program by implicitly setting the scope of other program components. For example, an established risk assessment security layer definition may be used to establish the scope of an incident response plan. Because boundaries and assets are synchronized, any incident response feedback can seamlessly feed back into the risk analysis process to close the loop. The advantages of modularity in a security program warrant extra effort in the initial definition of risk assessment security domains.

The information security risk assessment is a living document with established ownership and review. It may serve as a vehicle to modularize a security program, offering cohesiveness and flexibility, as well as a vehicle to document due diligence. The value of the information security risk assessment is only as effective as the accuracy and thoroughness represented within.

MANAGEMENT SYSTEM

The information security management system functions to address risk, whether it is accepted, transferred, or mitigated; information security management systems are beginning to enjoy the adoption of internationally recognized standards, and are increasingly being seen as analogous to Total Quality Management (TQM) systems, managing the quality of information security.

One rapidly emerging internationally recognized standard is ISO17799, heir apparent to the venerable BS7799 standard, and focused on ten functional control areas including:

• Information Security Policy addressing management support, ongoing commitment, and direction in accomplishing information security goals; • Organizational Security addressing the need for a management framework

to create, sustain, and manage the security infrastructure;

• Asset Classification and Control addressing the ability of the security infrastructure to protect organizational assets;

• Personnel Security addressing an organization’s ability to mitigate risk inherent in human interaction;

FIGURE 5.4 Example of an Information Security Program Structure

Information Security Policy

Security Risk Assessment Standards Audit Plan Incident Response Process Intrusion Detection Capability Information Security Training Process Business Continuity Process Guidelines/ local requirements Local Processes Information Security Training Capability Risk Assessment Process Risk Element Identification Board of Directors Business Continuity Capability Audit Process Audit Capability Information Security Officer Standards Committee Internal and External Auditors Business Continuity Plan Information Security Awareness Plan Incident Handling Plan External Liaisons

Local Information Security Program Information Security Management System

Information Security Manager Change Control Board INFOSEC Management Forum

• Physical and Environmental Security addressing risk inherent to the orga- nization’s premise;

• Communications and Operations Management addressing an organiza- tion’s ability to ensure correct, secure, and repeatable operation of its assets;

• Access Control addressing an organization’s ability to control access to assets based upon business and security requirements;

• System Development and Maintenance addressing an organization’s abil- ity to ensure that information system security controls are both incorpo- rated and maintained;

• Business Continuity Management addressing an organization’s ability to counteract interruptions to normal operations; and

• Complianceaddressing an organization’s ability to remain compliant with regulatory, statutory, contractual, and security requirements.

Security management based upon ISO17799 takes a very holistic look at infor- mation security and at all aspects of an organization’s ability to manage risk. The ten functional control areas serve as a high-level checklist of things that should be evaluated in the creation of a security program, and the selection of controls.

Security management systems define functional requirements of the security architecture model control layer. Scope and requirements are driven by the results obtained from the risk assessment that is fed by a penetration test. Components typically include security organizations, codified practices, and ancillary support programs.

Security organizations address the individual’s role in the security program. • Functional Roles allow assignment of specific security responsibilities

such as Information Security Officers.

• Information Security Management Committees are chartered with specific tasks such as Configuration Control Boards.

• Multidisciplinary Management Forums are tasked with promoting infor- mation security awareness throughout the organization with codified prac- tices that refine an organization’s risk mitigation strategy to a level of granularity that can be implemented.

• Policiesexpress conceptual goals of upper management defining the risk mitigation strategy.

• Standards define measurable requirements in support of policy goals. • Guidelines offer best practice advice on how to meet standard require-

ments.

• Procedures furnish step-by-step instructions to create a consistent and repeatable process.

Ancillary programs address risk not addressed by security organizations or codified practices. In some organizations, these ancillary programs may liaise with the security program, but be externally managed. For example, business continuity may stand alone, or security awareness may fall under HR or training.

• Business Continuity programs ensure the sustainability of the organiza- tion.

• Incident Management programs respond to anomalies.

• Security Awareness programs educate an organization’s personnel on information security issues.

There is no cookie-cutter approach to creating a security management system, each being unique to the sponsoring organization. Any implementation must be justified by identified risk, have the full support of the organization’s upper man- agement, and take into consideration existing organizational culture and politics. Buy-in from stakeholders at all levels is crucial to both initial success and ongoing effectiveness.

CONTROLS

Controls come in many forms, including physical devices, configurations, roles, and processes, affecting networks, platforms, roles, and operations. Many controls require subordinate or supporting controls. For example:

• A firewall is a network control device used to enforce network access and service requirements. The firewall requires:

– A supporting procedure for authorized users and services – A supporting role to administer the device

– A supporting organization for configuration control

• A sniffer is a network control device used to monitor traffic for both network management and anomaly detection.

– A supporting monitoring policy may be required to mitigate an addi- tional risk of illegal eavesdropping or invasion of privacy.

• Hardening scripts are platform controls used to modify system configu- rations to minimize effectiveness of common system exploits.

– A supporting role must track and update the scripts. • System logging is a control that includes:

– A device such as a log server

– A configuration to enable logging on each device – A role to analyze the log files

Functional role definitions are a control used to assign and evaluate information security responsibilities and training requirements. If “Information security is every- body’s responsibility,” an effective system ensures that “Everybody knows his or her responsibilities and is trained to react accordingly.”

Procedural controls exist to ensure the process of information security is con- sistent and repeatable. Standard operational procedures, for example, are controls to standardize the outcome of operations throughout the organization. Controls are an implementation of the risk mitigation strategy adopted by management and validated by risk.