RESPONSABILIDAD DEL ESTADO EN LA VIOLACIÓN DE LOS DERECHOS Y LAS GARANTÍAS DEL DEBIDO PROCESO

The MITS document outlines a comprehensive ITS framework that consists of management, technical, and operational security controls. The technical and operational controls are further subdivided into security-supporting processes, and controls for prevention, detection, and response and recovery (see Figure 2 below). Some prevention controls are detailed in other standards, such as physical security (see the Operational Security Standard on Physical Security; reference [26]) and personnel security (see the Personnel Security Standard, reference [28]). The MITS framework places network security and Zones in the technical safeguards category, a subgroup of prevention controls.

3.2.1 Management Controls

As described in the MITS, management controls include, but are not limited to, security in the system development life cycle; asset identification and categorization; risk management (which includes TRA and certification and accreditation); incident and vulnerability management; security assessment and audit; and security awareness and training.

Although this publication is primarily for technical guidance, it does include some management controls directly related to network security. This Guideline supports TRAs by providing a standardized level of susceptibility or exposure to network threats. It also includes some

requirements for incident and vulnerability management necessary to maintain network security. These areas are outlined in light blue in Figure 2.

This Guideline does not address requirements for the system development life cycle, asset identification and categorization, certification and accreditation, security assessments and audits, or security awareness and training. However, it must be noted that these activities are all

UNCLASSIFIED

Baseline Security Requirements for Network Security Zones in the Government of Canada (ITSG-22)

16 June 2007 Network Security Zones and IT Security

necessary and important aspects of an overall security strategy. Specifically, Security Awareness and Training are fundamental to all security implementations; without properly trained and aware users, the best technology may be rendered useless.

Management Controls Technical and Operational Controls Security-

Supporting Processes

Detection Controls

(no subtypes defined in MITS) Response & Recovery Controls Prevention Controls

System Development Life Cycle Asset Identification &

Categorization

Security Assessment & Audit Security Awareness &

Training Problem Reporting & Help Desk Capacity Planning System Support Services Physical Security IT Media Storage, Disposal, & Destruction Personnel Security Technical Safeguards Eleven other safeguard types Identification Response Reporting Recovery Post-Incident Analysis Network Security Configuration Management & Change Control Risk Management

Incident & Vulnerability Management

Core Requirements

Supporting Requirements

Figure 2 – MITS Framework

3.2.2 Processes that Support IT Security

The MITS standard identifies four key processes that support ITS: a. configuration management and change control;

b. problem reporting and help desk; c. capacity planning; and

d. system support services.

This Guideline includes requirements for configuration management of networks and End- Systems (outlined in light blue in Figure 2); however, the configuration management

requirements for End-Systems are limited in scope and include only requirements to prevent End-Systems from introducing threats to the network. Aside from this, this Guideline does not address other security-supporting processes.

Network Security Zones and IT Security June 2007 17

3.2.3 Prevention Controls

Prevention controls are deployed within the application systems and the computing infrastructure to protect the confidentiality, integrity, and availability of information and IT assets. They are the first line of defence and aim to keep security incidents from happening.

In the MITS framework, prevention controls are grouped into four main types: physical security controls; controls for the storage, disposal, and destruction of IT media; personnel security controls2; and technical safeguards. The MITS standard describes twelve types of technical safeguards, including identification and authentication (I&A), authorization and access control, cryptography, emanations security, and security configuration. Network security is also

identified as a technical safeguard; that is where Zones fit into the MITS framework (outlined in dark blue in Figure 2).

This Guideline addresses technical safeguards for network security (and thus focuses on

prevention). While it establishes requirements in certain situations for other safeguards such as I&A or cryptography in support of network security, it does not specify how those other

safeguards should operate.

Although this Guideline does not specifically address personnel security, it must be noted that even authorized Users and Administrators of systems pose a tremendous threat to the security of any given system. By ensuring that authorized personnel possess an adequate clearance level and are properly trained for a given system, and the Principles of Least Privilege, Separation of Duties and Need-to-Know are honoured in the implementation of access control, the risk to that system from ‘inside’ threat agents can be significantly reduced.

3.2.4 Detection Controls

Detection is the second line of defence. Detection is necessary because prevention controls sometimes fail or are unable to stop some security incidents. When that happens, it is essential to be able to detect whether a security incident has occurred. The MITS standard gives a brief overview of the means and objectives of detection.

This Guideline does not contain any requirements for detection as such, although it does include requirements to ensure that Zones can support detection capabilities where necessary.

3.2.5 Response and Recovery Controls

Response and recovery controls provide the ability to handle security incidents after they have been detected and to bring the IT systems back to a stable state. Lessons learned from the response and recovery activities feed back into improving the prevention and detection controls to counter similar security incidents in the future.

2 Section 16.3 of the MITS requires “all personnel with privileged access to critical systems” to have a Level II security clearance.

UNCLASSIFIED

Baseline Security Requirements for Network Security Zones in the Government of Canada (ITSG-22)

18 June 2007 Network Security Zones and IT Security

The MITS standard identifies five stages in the incident handling process: identification, response, reporting, recovery, and post-incident analysis.

Although this Guideline does not include requirements for response and recovery controls, it does stipulate capabilities to support them.