Learning Objectives

 Upon completion of this material, you

should be able to:
• Describe the dominant InfoSec
management models, including
national and international standards-
based models
• Explain why access control is an
essential element of InfoSec
management
• Recommend an InfoSec management
model and explain how it can be
customized to meet the needs of a
particular organization
• Describe the fundamental elements of
key InfoSec management practices
Introduction to Blueprints, Frameworks, and Security Management Models

Chapter 08: Security Management Models

Introduction to Blueprints, Frameworks, and Security Models

InfoSec models are standards that

are used for reference or
comparison and often serve as the
stepping-off point for emulation and
adoption

One way to select a methodology is

to adapt or adopt an existing
security management model or set
of practices

Because each InfoSec environment

is unique, you may need to modify
or adapt portions of several
frameworks; what works well for
one organization may not precisely
fit another
Introduction to Blueprints, Frameworks, and Security Models
(Continued)
 The communities of interest accountable
for the security of an organization’s
information assets must design a working
security plan and then implement a
management model to execute and
maintain that plan
 This may begin with the creation or
validation of a security framework, followed
by an InfoSec blueprint that describes
existing controls and identifies other
necessary security controls
 A framework or security model is the
outline of the more thorough and
organization-specific blueprint
 These documents form the basis for the
design, selection, and initial and ongoing
implementation of all subsequent security
controls, including policy, SETA, and
technologies
Introduction to Blueprints, Frameworks, and Security Models
(Continued)
 To generate a usable security
blueprint, most organizations
draw on established security
frameworks, models, and
practices
 Another way to create a
blueprint is to look at the
paths taken by other
organizations
 In this kind of benchmarking,
you follow the recommended
practices or industry standards
Introduction to Blueprints, Frameworks, and Security Models
(Continued)
 Benchmarking is the comparison
of two related measurements
 Benchmarking describes both
internal and external
comparisons
 Internal benchmarking, known as
baselining, involves comparing
organizational performance at
some defined state against
current or expected performance
 External benchmarking involves
comparing one’s organizational
results against other similar
organizations
Security Management Models
Chapter 08: Security Management Models
The ISO 27000 Series
 One of the most widely referenced and
often discussed security models is
Information Technology—Code of Practice
for Information Security Management,
which was originally published as British
Standard BS 7799, later published as
ISO/IEC 17799, and then as ISO/IEC 27002
 The original purpose of ISO/IEC 27002 was
to offer guidance for the management of
InfoSec to individuals responsible for their
organization’s security programs
 According to 27000.org, the standard was
“intended to provide a common basis for
developing organizational security
standards and effective security
management practice and to provide
confidence in inter-organizational
dealings”
The ISO 27000 Series (Continued)
 Where ISO/IEC 27002 is focused on
a broad overview of the various
areas of security, providing
information on 127 controls over 10
areas, ISO/IEC 27001 provides
information on how to implement
ISO/IEC 27002 and how to set up an
information security management
system (ISMS)
 One way to determine how closely
an organization is complying with
ISO 27002 is to use the SANS
SCORE (Security Consensus
Operational Readiness Evaluation)
Audit Checklist, which is based on
17799:2005
ISO 27000 Series current and
planned
 27000:2016 Series Overview and Terminology  27014:2013 InfoSec Governance Framework
 27001:2013 InfoSec Mgmt System Specification  27015:2012 InfoSec Mgmt Guidelines for
 27002:2013 Code of Practice for InfoSec Mgmt Financial Services
 27003:2017 InfoSec Mgmt Systems  27016: 2014 InfoSec and Organizational
Implementation Guidance Economics
 27004:2016 InfoSec Measurements  27017:2015 Code of practice for InfoSec
 27005:2011 ISMS Risk Management controls for cloud computing services based on
ISO/IEC 27002
 27006:2015 Requirements for Bodies Providing
Audit and Certification of an ISMS
 27018:2014 Code of practice for PII protection
in public clouds acting as PII processors
 27007:2011 Guidelines for ISMS Auditing
 27019:2013 InfoSec mgmt guidelines for
 27008:2011 Guidelines for InfoSec Auditing
process control systems specific to the energy
 27010:2015 Guidelines for Inter-sector and Inter- industry
organizational Communications  27023:2015 Mapping the revised editions of
 27011:2016 Guidelines for Telecomm orgs ISO/IEC 27001 and 27002
 27013:2015 Guideline on the Integrated  27031:2012 Guidelines for information and
Implementation of ISO/IEC 20000-1 and ISO/IEC communication technology readiness for
27001 business continuity
 27032:2012 Guidelines for cybersecurity
NIST Security Models
 NIST documents have two notable
advantages:
• they are publicly available at no
charge
• they have been available for some
time; thus they have been broadly
reviewed (and updated) by
government and industry
professionals
 You can use the NIST SP (Special
Publication) documents listed
earlier, along with the discussion
provided in this book, to help design
a custom security framework for
your organization’s InfoSec program
Key NIST SPs
SP 800-12, Rev. 1:
SP 800-14: Generally • SP 800-53, Rev. 4: Security and Privacy
Computer Security
Accepted Security
Principles and
Controls for Federal IS and Orgs
Handbook
Practices • SP 800-53A, Rev. 4: Assessing Security
and Privacy Controls in Federal
SP 800-18, Rev. 1:
SP 800-30, Rev. 1:
Information Systems and
Guide for Developing
Security Plans for
Guide for Conducting Organizations: Building Effective
Risk Assessments
Federal IS Assessment Plans
 SP 800-55. Rev. 1: Performance
SP 800-37, Rev. 1: Measurement Guide for InfoSec
SP 800-34, Rev. 1: Guide for Applying the
Contingency Planning Risk Management  SP 800-61, Rev. 2: Computer Security
Guide for Federal IS Framework to Federal
IS
Incident Handling Guide
 SP 800-100: Information Security

SP 800-39: Managing Handbook: A Guide for Managers

InfoSec Risk:  SP 800-184: Guide for Cybersecurity
Organization, Mission,
and IS View Event Recovery
Control Objectives for Information and Related Technology (COBIT)

 Control Objectives for

Information and Related
Technology (COBIT) also
provides advice about the
implementation of sound
controls and control objectives
for InfoSec
 COBIT was created by the
Information Systems Audit and
Control Association (ISACA) and
the IT Governance Institute
(ITGI) in 1992
Control Objectives for Information and Related Technology (COBIT)
(Continued)
 COBIT 5 provides five principles
focused on the governance and
management of IT in an
organization:
• Principle 1: Meeting Stakeholder
Needs
• Principle 2: Covering the
Enterprise End-to- End
• Principle 3: Applying a Single,
Integrated Framework
• Principle 4: Enabling a Holistic
Approach
• Principle 5: Separating
Governance from Management
Control Objectives for Information and related Technology (COBIT)
(Continued)
 The COBIT 5 framework also incorporates a series of
“enablers” to support the principles:
• Principles, policies, and frameworks are the vehicle to
translate the desired behavior into practical guidance for day-
to-day management
• Processes describe an organized set of practices and activities
to achieve certain objectives and produce a set of outputs in
support of achieving overall IT-related goals
• Organizational structures are the key decision-making entities
in an enterprise
• Culture, ethics, and behavior of individuals and of the
enterprise are very often underestimated as a success factor
in governance and management activities
• Information is required for keeping the organization running
and well governed, but at the operational level, information is
very often the key product of the enterprise itself
• Services, infrastructure, and applications include the
infrastructure, technology, and applications that provide the
Committee of Sponsoring Organizations (COSO)
 COSO of the Treadway Commission
is a U.S. private-sector initiative
formed in 1985
 Its major objective is to identify
the factors that cause fraudulent
financial reporting and to make
recommendations to reduce its
incidence
 COSO has established a common
definition of internal controls,
standards, and criteria, and helps
organizations comply with critical
regulations like Sarbanes-Oxley
Committee of Sponsoring Organizations (COSO) (Continued)

 Internal control is a process,

effected by an entity’s board of
directors, management, and
other personnel, designed to
provide reasonable assurance
regarding the achievement of
objectives in the following
categories:
• Effectiveness and efficiency of
operations
• Reliability of financial reporting
• Compliance with applicable
laws and regulations
COSO Framework
 COSO’s framework is built on
five interrelated components:
• Control environment
• Risk assessment
• Control activities
• Information and
communication
• Monitoring
Information Technology Infrastructure Library (ITIL)
 The Information Technology
Infrastructure Library (ITIL) is a
collection of methods and
practices useful for managing the
development and operation of
information technology
infrastructures
 The ITIL has been produced as a
series of books, each of which
covers an IT management topic
 Since it includes a detailed
description of a many significant
IT-related practices, it can be
tailored to many IT organizations
Information Security Governance Framework
 The Information Security Governance
Framework is a managerial model that
provides guidance in the development
and implementation of an organizational
information security governance structure
 The core of the Information Security
Governance Framework includes
recommendations for the responsibilities
of members of an organization including:
• Board of directors/trustees
• Senior executives
• Executive team members who report to
a senior executive
• Senior managers
• All employees and users
Security Architecture Models
Chapter 08: Security Management Models
Security Architecture Models
 Security architecture models illustrate
information security implementations and can
help organizations to quickly make
improvements through adaptation
 Some models are implemented into computer
hardware and software, some are
implemented as policies and practices, and
some are implemented in both
 Some models focus on the confidentiality of
information, while other focus on the integrity
of the information as it is being processed
TCSEC and the Trusted Computing Base
 The Trusted Computer System
Evaluation Criteria (TCSEC) is an
older DoD standard that defines the
criteria for assessing the access
controls in a computer system
 This standard is part of a larger
series of standards collectively
referred to as the Rainbow Series,
due to the color-coding used to
uniquely identify each document
 TCSEC is also known as the “Orange
Book” and is considered the
cornerstone of the series
 TCSEC was replaced by the
“Common Criteria” in 2005
Trusted Computing Base
 TCSEC defines a trusted
computing base (TCB) as the
combination of all hardware,
firmware, and software responsible
for enforcing the security policy
 In this context, security policy
refers to the rules of configuration
for a system, rather than a
managerial guidance document
 The TCB is made up of the
hardware and software that has
been implemented to provide
security for a particular
information system
Trusted Computing Base Reference Monitor

Within the TCB is a conceptual object known as the reference

monitor to mediate access to objects by subjects

Systems administrators must be able to audit or periodically review

the reference monitor to ensure it is functioning effectively, without
unauthorized modification

One of the biggest challenges in TCB is the existence of covert

channels
Information Technology System Evaluation Criteria
 The international standard
Information Technology System
Evaluation Criteria (ITSEC) is very
similar to TCSEC
 Under ITSEC, Targets of
Evaluation (ToE) are compared to
detailed security function
specifications, resulting in an
assessment of systems
functionality and comprehensive
penetration testing
 Like TCSEC, ITSEC was, for the
most part, functionally replaced
by the Common Criteria
The Common Criteria
 The Common Criteria for Information
Technology Security Evaluation
(“Common Criteria” or “CC”) is an
international standard (ISO/IEC
15408) for computer security
certification
 It is widely considered the successor
to both TCSEC and ITSEC in that it
reconciles some of the differences
between the various other standards
 The CC process assures that the
specification, implementation, and
evaluation of computer security
products are performed in a rigorous
and standard manner
Chapter 08: Security Management Models

Access Control Models

End of Unit 1
Access Control Models
 Access controls regulate the admission of users into trusted
areas of the organization—both the logical access to the
information systems, or the physical access to the
organization’s facilities
 Access control is maintained by means of a collection of
policies, programs to carry out those policies, and technologies
that enforce policies
Access Control Models
(Continued)
 The general application of access control
comprises four processes:
• Obtaining the identity of the entity
requesting access to a logical or physical
area (identification)
• Confirming the identity of the entity seeking
access to a logical or physical area
(authentication)
• Determining which actions an authenticated
entity can perform in that physical or logical
area (authorization)
• Documenting the activities of the authorized
Access Control
 Access control is built on several key
principles:
• Least privilege: The principle by which
members of the organization can access the
minimum amount of information for the
minimum amount of time necessary to
perform their required duties
• Need to know: Limits a user’s access to the
specific information required to perform the
currently assigned task, and not merely to
the category of data required for a general
work function
Categories of Access Controls
 Directive—Employs administrative controls such as
policy and training designed to proscribe certain
user behavior in the organization
 Deterrent—Discourages or deters an incipient
incident
 Preventative—Helps an organization avoid an
incident
 Detective—Detects or identifies an incident or a
threat when it occurs
 Corrective—Remedies a circumstance or mitigates
damage done during an incident
 Recovery—Restores operating conditions back to
normal
Mandatory Access Controls
(MACs)
 A Mandatory Access Control (MAC) is required and is structured
and coordinated within a data classification scheme that rates
each collection of information as well as each user
 These ratings are often referred to as sensitivity levels or
classification levels
 When MACs are implemented, users and data owners have
limited control over access to information resources
Data Classification Model
 Data owners must classify the information assets
for which they are responsible and review the
classifications periodically
 The U.S. government uses a three-level
classification scheme for information deemed to be
National Security Information (NSI), as defined in
Executive Order 13526:
• Top Secret
• Secret
• Confidential
 Simple scheme for other organizations:
• Public
• For official (or internal) use only
• Confidential (or Sensitive)
Security Clearances
 Another component of a data classification scheme
is the personnel security clearance structure, in
which each user of an information asset is assigned
an authorization level that identifies the level of
information classification he or she can access
 Most organizations have developed roles and
corresponding security clearances so individuals
are assigned into authorization levels correlating
with the classifications of the information assets
 Beyond a simple reliance on the security clearance
is the incorporation of the need-to-know principle,
based on the requirement that people are not
allowed to view data simply because it falls within
their level of clearance; they must also have a
Managing Classified Information
Assets
 Managing an information asset includes all
aspects of its life cycle—from specification to
design, acquisition, implementation, use,
storage, distribution, backup, recovery,
retirement, and destruction
 An information asset that has a classification
designation other than unclassified or public
must be clearly marked as such—with a cover
page and headers and footers
 To maintain the confidentiality of classified
documents, managers can implement a clean
desk policy—requiring employees to secure all
 Managing Classified
Information Assets

(Continued)
When copies of classified information are no
longer valuable or too many copies exist, care
should be taken to destroy them properly to
discourage dumpster diving
 While bins stored on private property can be
protected from trespassers, in 1998, in
California v. Greenwood, the Supreme Court
ruled that there is no expectation of privacy
for items thrown away in trash or refuse
containers
Lattice-Based Access Controls
 Lattice-based access control, a variation on
the MAC form of access control, assigns users
a matrix of authorizations for particular areas
of access
 The level of authorization may vary
depending on the classification authorizations
that individuals possess for each group of
information assets or resources
 The lattice structure contains subjects and
objects, and the boundaries associated with
each subject/object pair are clearly
demarcated
Nondiscretionary Controls
 Nondiscretionary controls are determined by a central authority
in the organization and can be based on roles—called role-
based access controls or RBAC—or on a specified set of tasks—
called task-based controls
 Role-based controls are tied to the role that a particular user
performs in an organization, whereas task-based controls are
tied to a particular assignment or responsibility
Discretionary Access Controls
(DACs)
 Discretionary Access Controls (DACs) are
implemented at the discretion or option of the
data user
 Most personal computer operating systems
are designed based on the DAC model
 One discretionary model is rule-based access
controls where access is granted based on a
set of rules specified by the central authority
Other Forms of Access Control
 Content-dependent access controls—As the
name suggests, access to a specific set of
information may be dependent on its content
(e.g., Marketing information for the Marketing
Department)
 Constrained user interfaces—Some systems
are designed specifically to restrict what
information an individual user can access
(e.g., ATMs)
 Temporal (time-based) isolation—In some
cases, access to information is limited by a
time-of-day constraint (e.g., time-release
Chapter 08: Security Management Models

Academic Access Control

Models
Bell-LaPadula Confidentiality
Model
 The Bell-LaPadula (BLP) confidentiality model
is a state machine reference model that helps
ensure the confidentiality of an information
system by means of mandatory access
controls (MACs), data classification, and
security clearances
 A state machine model is one in which the
design follows a conceptual approach in which
the state of the content of the system being
modeled is always in a known secure
condition, in other words, this kind of model is
provably secure
Bell-LaPadula Confidentiality
Model (Continued)
 A system that serves as a reference monitor compares the
level of classification of the data with the clearance of the
entity requesting access; it allows access only if the clearance
is equal to or higher than the classification
 BLP security rules prevent information from being moved from
a level of higher security level to a level of lower security
Bell-LaPadula Confidentiality
Model (Continued)
 Access modes can be one of two types: simple security and the
* (star) property
• Simple security (also called the read property) prohibits a
subject of lower clearance from reading an object of higher
classification, but allows a subject with a higher clearance
level to read an object at a lower level (read down)
• The * property (the write property) prohibits a high-level
subject from sending messages to a lower-level object
• In short, the principle is “no read up, no write down”
Biba Integrity Model
 The Biba integrity model is similar to BLP
 The intent is to provide access controls to
ensure that objects or subjects cannot have
less integrity as a result of read/write
operations
 The Biba model ensures that no information
from a subject can be passed on to an object
in a higher security level
• This prevents contaminating data of higher
integrity with data of lower integrity
Biba Integrity Model (Continued)
 The Biba Model assigns integrity levels to
subjects and objects using two properties: the
simple integrity (read) property or the
integrity * property (write)
• The simple integrity property permits a
subject to have read access to an object only
if the security level of the subject is either
lower or equal to the level of the object
• The integrity * property permits a subject to
have write access to an object only if the
security level of the subject is equal to or
higher than that of the object
Clark-Wilson Integrity Model
 The Clark-Wilson integrity model, which is
built upon principles of change control rather
than integrity levels, was designed for the
commercial environment
 The change control principles upon which it
operates are:
• No changes by unauthorized subjects
• No unauthorized changes by authorized
subjects
• The maintenance of internal and external
consistency
Clark-Wilson Integrity Model
(Continued)
 These controls are part of the CWI model:
• Subject authentication and identification
• Access to objects by means of well-formed
transactions
• Execution by subjects on a restricted set of
programs
 The elements of the Clark-Wilson model are:
• Constrained data item (CDI)—Data item with
protected integrity
• Unconstrained data item—Data not
controlled by Clark-Wilson; nonvalidated
input or any output
Graham-Denning Access Control
Model
 The Graham-Denning access control model has
three parts: a set of objects, a set of subjects, and
a set of rights; subjects are composed of two
things: a process and a domain
 The eight primitive protection rights are:
1. Create object
2. Create subject
3. Delete object
4. Delete subject
5. Read access right
6. Grant access right
7. Delete access right
8. Transfer access right
Harrison-Ruzzo-Ullman (HRU)
model
 The Harrison-Ruzzo-Ullman (HRU) model
defines a method to allow changes to access
rights and the addition and removal of
subjects and objects, a process that the Bell-
LaPadula model does not
 Since systems change over time, their
protective states need to change
 HRU is built on an access control matrix and
includes a set of generic rights and a specific
set of commands
Brewer-Nash (Chinese Wall)
 The Brewer-Nash model—commonly known as
a Chinese Wall—is designed to prevent a
conflict of interest between two parties
 The Brewer-Nash model requires users to
select one of two conflicting sets of data, after
which they cannot access the conflicting data
Summary
 A framework is the outline of a more thorough
blueprint used in the creation of the InfoSec
environment. A security model is a generic
blueprint offered by a service organization
 One of the most widely referenced security models
is “ISO/IEC 27001: 2005 Information Technology—
Code of Practice for InfoSec Management,” which is
designed to give recommendations for InfoSec
management. Other approaches to structuring
InfoSec management are found in the many
documents available from NIST’s Computer
Security Resource Center
 Control Objectives for Information and Related
Technology (COBIT) provides advice about the
Summary (Continued)
 The Committee of Sponsoring Organizations (COSO) of
the Treadway Commission has established a common
definition of internal controls, standards, and criteria
against which companies and organizations can assess
their control systems. The Information Technology
Infrastructure Library (ITIL) is a collection of methods and
practices useful for managing the development and
operation of information technology infrastructures
 The Information Security Governance Framework is a
managerial model provided by an industry working group
that provides guidance in the development and
implementation of an organizational InfoSec governance
structure
 Security architecture models illustrate InfoSec
implementations and can help organizations make quick
improvements through adaptation. The most common
Summary (Continued)
 Access controls regulate the admission of users
into trusted areas of the organization. Access
control comprises four elements: identification,
authentication, authorization, and accountability
 Access control is built on the principles of least
privilege, need-to-know, and separation of duties
 Approaches to access control include directive,
deterrent, preventative, detective, corrective,
recovery, and compensating. Access controls may
be classified as management, operational (or
administrative), or technical
 Mandatory access controls (MACs) are controls
required by the system that operate within a data
classification and personnel clearance scheme
Summary (Continued)
 Nondiscretionary controls are determined by a
central authority in the organization and can be
based on roles or on a specified set of tasks
 Discretionary access controls (DACs) are
implemented at the discretion or option of the data
user
 Common academic access control models include
the Bell-LaPadula (BLP) confidentiality model, the
Biba integrity model, the Clark-Wilson integrity
model, the Graham-Denning access control model,
the Harrison-Ruzzo-Ullman (HRU) model for access
rights, and the Brewer-Nash model
?