Courtesy : Hack2Secure
The security risk is the major cause of vagueness in any enterprise. Thus, organizations increasingly focus on determining and managing that risk before they affect their business. The ability of the organization to manage the Information Security risk will support them act more confidently on the business protection. In addition to this, companies should assure that their security measure will function as intended. For this, they need to consider security in the system support and operations. In order to help the organizations, here we presented the outline of the risk management, security assurance and security considerations in the system support and operations with the reference in the NIST Special Publication 800-12 Rev. 1.
Information Security Risk Management
The risk is nothing but a measure of a level a unit is susceptible by an event or circumstance, and characteristically a function of the adverse influence, which would rise of the event or circumstance happens and the possibility of occurrence.
Risk Management is the procedure of reducing the risks to enterprise operations and assets, other enterprises, individuals and the nation.
Four steps involved in the risk management are:
1. Framing Risks –This step defines how enterprises create a risk setting for their environment in which decisions regarding risks are made. Its main purpose is to launch a risk management procedure, which addresses how enterprise intent to assess, monitor and respond to risks while making transparent and explicit the risk perceptions, which organization habitually use in both operational and investment decisions.
2. Assessing Risks – This step defines how enterprise evaluate risks within the enterprise risk frame setting. Its main purpose is to determine:
- Threats to enterprise operations and assets, other organizations, individuals, and nation
- Internal & external vulnerabilities of enterprises
- The harm to the enterprise, which may happen given the possibility of threats exploiting weaknesses
- The possibility that harm will happen
3. Responding to risk – This step addresses how enterprise responds to risk once that is determined according to the risk assessment results. Its main purpose is to offer a consistent, enterprise-wide response to the risk based on the enterprise risk frame by:
- Creating alternative sequences of actions to respond to risk
- Assessing the alternative action sequences
- Identifying the corresponding sequence of actions reliably with enterprise risk tolerance
- Implementing risks, responses according to the selected sequence of action
4. Monitoring Risk – This step addresses how enterprise monitors risk over the period of time. Its purpose is to:
- Check that planned risk response measures are properly implemented and that security needs derived from or traceable to enterprise mission/ functions, federal legislation, regulations, directives, standards, policies, and guidelines are fulfilled.
- Identify the ongoing efficiency of the risk response measures
- Determining risk influencing changes to system and environment of the organization
NIST Risk Management Framework (RMF)
Risks management Framework promotes the strategy of almost real-time risks management & ongoing system authorization via the continuous monitoring process implementation. It allows senior leaders gain the essential details to make cost-effective and risk-based decisions with respect to enterprise system supporting their basic missions and functions. It also integrates security aspects into the enterprise SDLC process.
The following figure depicts the overview of the RMF:
Categorize – Organization needs to categorize the systems as well as the information managed, stored and transmitted in accordance with impact analysis.
Select – Then, the organization needs to involve in selecting the initial set of system baseline security controls according to the security categorization and tailoring & supplementing the control baseline as required accordance with the enterprise risks and local condition assessment.
Implement – Enterprise is accountable for implementing information security controls and defining how those controls are working within the system and operation.
Assess – At this step, the enterprise needs to assess the security controls with the proper assessment procedures and to identify the level which the controls are executed correctly, operating as intended & producing the expected outcome.
Authorize – As per the result of the security control assessment, a senior official in the enterprise authorizes the system to function and continue to function. The senior official makes this decision according to the identification of the risks to enterprise assets & operations, other organizations, individuals and the nation resulting from the system operation and the decision.
Monitor – The final stage of the RMF is to monitor the security controls continuously to guarantee that they’re effective even changes happen in the system and the environment. Enterprise monitors the security controls on the continuous basis, including evaluating control effectively, documenting alteration to the system, conducting security influence analysis of the related chances & reporting the security status to the designated officials.
Information Security Assurance
Authorization & Assurance
The size & complexity of the systems today make creating a reliable system a priority. System security engineering offers a straightforward approach for creating dependable systems in the complex computing environment. This section presents the two divisions of assurance methods & tools:
1. Design And Implementation Assurance
This method addresses the design of the systems and whether the features of an application, system or component satisfies the software requirements & specifications. It examines the system design, progress, and installation. It can be applied throughout the entire lifecycle of the system, but generally associated with the development and implementation phase. This method can be achieved by using the following techniques:
Advanced Or Trusted Development – The advanced or trusted development methodologies, system architectures or software engineering techniques can offer assurance in the development of COTS (Commercial off-the-shelf) products & customized systems. For example, formal modeling, security design & development reviews, ISO 9000 quality techniques, mathematical proofs, ISO 15288 or trusted computing base (TCB).
Reliable Architecture – The reliable system architecture that uses fault tolerance, shadowing, redundancy or RAID features are primarily linked with system availability.
- Reliable Security – Ease of safe use is the main factor that resides in the reliable security that postulated that the system is simpler to secure is possible to be secure.
- Evaluations – Evaluation of a product normally includes testing. It can be performed by several kinds of the enterprises, including independent enterprises such as professional & trade organization, domestic & foreign government agencies, individual users or commercial groups.
- Assurance Documentation – Assurance documentation can report the system or specific component security. System-level documentation defines the security needs of the systems and how they’ve been implemented. Component documentation will be an off-the-shelf product, while the implementer or system designer will typically create system documentation.
- Warranties, Integrity Statement & Liabilities – Warranties are the additional assurance source and it gives the sense of commitment to correct the errors within the specified timeframes. It also speaks about the quality of the product. Integrity statement is a certificate or formal declaration of the product. It can be increased by the promise to liability (pay for losses) if the product doesn’t follow to the integrity statement.
- Manufacturer’s Published Assertions – The published assertions to the developer or manufacturer present a limited amount of assurance according to the reputation.
- Distribution Assurance – It is essential to aware that software has received without modification particularly in case it is distributed. We can use digital signatures and check bits since they can provide high assurance about that code hasn’t been modified.
2. Operational Assurance
Operation assurance reports whether the technical features of the system include vulnerabilities or are being bypassed and there needed procedures are being tailored.
The organization utilizes three methods to keep operational assurance:
1. System Assessments – An event to evaluate security. Assessment methods comprise examination, interview, and testing.
2. System Audits – An independent examination and review of the records & activities to evaluate the system control adequacy and to guarantee compliance with launching policies and procedures. There are several methods and tools, which can be used to audit including:
- Automated Tools – Used to support uncover threats and vulnerabilities.
- Internal Control Audits – Review controls in the system to determine whether they are effective by using techniques like testing, observation, and inquiry.
- Using The System Security Plan (SSP) – Presents implementation details against the system that can be audited.
- Penetration Testing – Involves several methods to effort to break the system security.
3. System Monitoring – Process for keeping ongoing security awareness, vulnerabilities & threats to aid enterprise risk management decisions. The methods and tools used in system monitoring are as follows:
- Review System Logs – Analyze system-generated logs to find security problems.
- Automated Tools – Examples of automated tools used to monitor the system for the security issues are malicious code scanners, checksum, password strength checkers, host-based intrusion detection system, system performance monitoring analysis and integrity verification programs.
- Configuration Management – Provides assurance that organizational system in function has been configured to standards and needs, that any alteration to be made are revised and that such modification has been authorized by the management preceding to implementation.
- Trade Literature/Publications/Electronic News – Furthermore, it is essential to monitor these external sources of information that includes details about the security vulnerabilities, patches and other things that influence the security.
Security Considerations In System Support And Operations
System support & operations refer to entire aspects involved in the running of a system. The failure to include security as a portion of the support & operations of systems can result in damage to the enterprise. The following are some of the categories that organization’s policies and procedures fail to address:
- User Support – An essential security consideration for the user support peoples is being capable to recognize which issues are security-related.
- Software Support – Several elements involved in the software support. One element controls what software is running on the system. Another element ensures that software hasn’t been altered without proper authorization.
- Configuration Management – Process of chasing and approving the alterations to the system to ensure that the changes don’t unintentionally or unknowingly affect security. In addition, it ensures that changes are replicated in other documentation like a contingency plan.
- Backups – System support officials or users often back up the data and software. It is important to backup only the necessary detail and in a secure way.
- Media Controls – Includes a wide range of measures to offer environmental and physical protection as well as accountability for digital & non-digital media.
- Documentation – To ensure consistency and continuity, the entire factors of system support and operations need to be documented.
- Maintenance- If the system maintenance is not proper, then the security vulnerability will get introduced.
In addition to effective risk management and security assurance, the organization should ensure security consideration at the system support and operation for implementing the flawless information security in their business.