Requisitos para la clasificación ABC de los inventarios

This section serves to introduce the best practice for security principles and practices.

2.2.1 Security Principles

Various lists of computer and information security principles have been proposed. A high level organisation-centric view is provided by Swanson and Guttman (1996) who outline eight principles of system security. These principles serve as a guide to decision-making during the creation or updating of systems, policies and procedures, thereby resulting in better security.

Firstly, security principles should support the organisation's mission by protecting its re- sources, e.g., its information, systems and reputation. Secondly, they are a fundamental

16_{RiskRanker is a prototype which was used to automatically assess a sample of 118 318 Android apps} and highlighted 3218 which were deemed suspicious and ultimately 718 malicious apps and 322 zero-days.

2.2. SECURITY PRINCIPLES AND PRACTICES 18 part of management as information systems are critical to the functioning of the organ- isation and management needs to decide how much risk they will mitigate versus how much they will accept in terms of impact to the organisation's functioning. Thirdly, they must be cost-eective in terms of the benets derived from reducing potential insecurity losses versus the direct monetary and indirect eciency costs of the controls. They should make systems owners responsible for security beyond the organisation, e.g., informing its external users or customers about the level of security and ensuring an adequate response to any breaches thereby retaining customer trust and ensuring compliance with legislative requirements. The principles also require responsibilities and accountability for system security to be explicit for its providers, owners, users, and so on. They must necessitate an approach which works together with other management controls and beyond the scope of information security to include, e.g., physical and personal security. Due to the dynamic nature of computers and their environment, security needs to be reassessed over time, e.g., due to new security aws discovered by researchers or attackers. Lastly, societal factors can constrain information security, e.g., privacy concerns or resistance to certain methods of authentication may prevent their implementation necessitating the implementation of other controls or resulting in decreased in security.

For a more technical system-centric view, Stoneburner et al. (2001) provide a list of infor- mation security principles in Table 2.1 to be considered when designing, developing and operating information systems. These principles have several areas including understand- ing the risk appetite and the mitigation benet versus cost trade-o, putting in adequate eort to the design process to ensure the quality thereof as well as the mitigation of risk through techniques such as compartmentation, isolation and defense in depth via mul- tiple overlapping controls. Other areas include using authentication, authorization and accounting, ensuring that condentiality and integrity are ensured (e.g., via encryption) and practising secure software development.

While Stoneburner et al. (2001) state that external systems are insecure, even internal systems that are not exposed to the Internet, outsiders or the public are vulnerable to insider threats who have access to these systems, e.g., disgruntled employees or internal spies as per Casey (2007).

One example is the rise of virtualisation and cloud computing, where data is processed on shared systems, which has opened up new attack vectors and illustrates how logical and physical security boundaries can change over time. Another is how information can be protected while in transit or at rest, e.g., by encrypting lesystems and backups thereof as well as secure decommissioning of systems that have reached their end of life.

Table 2.1: System centric security principles

Understand and target the level of risk that is acceptable to the organisation.

Only implement necessary mechanisms needed to achieve security services that support security goals.

Understand and highlight the trade-os between risk reduction and the increased costs which include decreased operating eciency.

Tailor system controls to the unique security requirements of the organisation. Create a solid security policy to serve as the basis for information system design. Ensure that security is a fundamental consideration of the system's design.

Specify in detail both the logical and the physical security boundaries controlled by the relevant security policies.

Use open standards whenever possible when creating security to facilitate interoper- ability across platforms.

Security requirements should all be developed using the same language to allow for comparison and evaluation.

Security designs should enable feasibly upgrading technology as it becomes available. External systems are deemed insecure.

Protect against known attack classes, e.g., insider, physical or proximity attacks. Describe and preclude frequent recurring errors and/or vulnerabilities, e.g., buer over- ows, lack of input validation, excessive privilege, etc.

To reduce the chance of aws be as simple as possible and as complicated as necessary. Multi layer security removes single points of failure and increases eort for attackers. Security services are implemented by multiple components that are distributed physi- cally and logically, e.g., centralised network based authentication for multiple hosts. Systems should be resistant to penetration or circumvention of their security controls. Employ mitigation techniques to limit and/or contain exploits of vulnerabilities. Security measures should cater for multiple levels of security on the same infrastructure. Create information systems which resist attack, contain damage and recover rapidly. Minimize the parts, i.e., people, processes, technology, to be trusted in a system. Mission critical resources should be logically or physically separated from publicly accessible systems.

Separate information systems and/or networks using access control devices and policies. To apply suitable access control, users and processes require authentication.

2.2. SECURITY PRINCIPLES AND PRACTICES 20 Audit mechanisms should enable the detection of unauthorised access and allow for later investigation.

Ensure the concept of the least privilege necessary is used to limit exploitation severity. Information should be protected during storage, transit and processing.

Systems that are end of life should be decommissioned securely to prevent loss of condentiality.

Aim for security control ease of use in daily operations.

Create and practice business continuity plans to ensure availability.

Bespoke or customized systems may be required when o the shelf systems cannot provide sucient security.

Use developers that are trained in secure software development.

2.2.2 Security Practices

Swanson and Guttman (1996) identify 14 security practices for information technology, presented in Table 2.2, which provide guidance to organisations on eective controls, objectives and procedures, or as a means to assess the existing policies and procedures of the organisation.

These security practices include managing risk and information technology assets across their entire lifespan, people via pre-hiring screening, training and job design as well as utilising authentication, authorization and accounting to control access and provide audit trails to support monitoring and investigation. Additional areas addressed by security practices include the use of encryption to conrm identity, condentiality from unau- thorised parties and integrity by preventing modication as well as addressing disasters through planing and prevention eorts.

Table 2.2: Security practices

Security policy provides direction from management in the form of rules, goals and responsibilities to address organizational, issue and system security objectives.

Security program management takes place at a centralized or organizational level, and more specic (in term of technology or function) system level programs.

Risk management in the form of assessing and mitigating risk.

Managing security at every stage of the information system life cycle from acquisition to disposal.

Sta should be screened before being hired, positions should be designed and accounts should be managed to support the security objectives.

Security awareness training to address the human element.

Maintaining physical and environmental security through access control, preventing re, ood, collapse, etc.

Business continuity planning and testing to allow for recovery from disasters. Incident response team allows for a rapid, eective response to incidents. Support and operation tasks need to consider and cater for security.

Access control to determine who can do what through the use of ACLs, encryption, rewalls, etc.

Identication, where the user claims an identity, and authentication, where the claim is veried, form the basis of most access control systems.

Enabling auditing to ensure accountability, detect intrusion, etc. by means of collecting and maintaining audit trails.

Using cryptography to maintain condentiality, integrity and conrm identity through the use of standards, key management, etc.