VISA INTERNATIONAL SECURITY MODEL
ü It
promotes strong security measures in its business associates and has
established guidelines for the security of its information systems.
ü It has
developed two important documents
\endash
Security Assessment Process
\endash
Agreed Upon Procedures.
ü Both
documents provide specific instructions on the use of the VISA Cardholder
Information Security Program.
ü The
Security Assessment Process document is a series of recommendations for the
detailed examination of an organization’s systems with the eventual goal of integration
into the VISA systems.
ü The
Agreed upon Procedures document outlines the policies and technologies required
for security systems that carry the sensitive card holder information to and
from VISA systems.
ü Using the
two documents, a security team can develop a sound strategy for the design of
good security architecture.
ü The only
downside to this approach is the specific focus on systems that can or do
integrate with VISA’s systems with the explicit purpose of carrying the
aforementioned cardholder information.
Baselining & Best Business Practices
\endash
Baselining
and best practices are solid methods for collecting security practices, but
provide less detail than a complete methodology
\endash
Possible
to gain information by baselining and using best practices and thus work
backwards to an effective design
\endash
The
Federal Agency Security Practices (FASP) site (fasp.nist.gov) designed to
provide best practices for public agencies and adapted easily to private
institutions.
\endash
The
documents found in this site include specific examples of key policies and
planning documents, implementation strategies for key technologies, and
position descriptions for key security personnel.
\endash
Of
particular value is the section on program management, which includes the
following:
A summary guide: public law, executive orders, and
policy documents
Position description for computer system security
officer.
Position description for information security
officer
Position description for computer specialist.
Sample of an information technology(IT) security
staffing plan for a large service application(LSA)
Sample of an information technology(IT) security
program policy
Security handbook and standard operating
procedures.
Telecommuting and mobile computer security policy.
\endash
DESIGN OF
SECURITY ARCHITECTURE
\endash
Hybrid
Framework for a Blueprint of an Information Security System
The
framework of security includes philosophical components of the Human Firewall
Project, which maintain that people, not technology, are the primary defenders
of information assets in an information security program, and are uniquely
responsible for their protection.
The
spheres of security are the foundation of the security framework.
The
sphere of use, at the left in fig, explains the ways in which people access information;
for example, people read hard copies of documents and can also access
information through systems.
The
sphere of protection at the right illustrates that between each layer of the
sphere of use there must exist a layer of protection to prevent access to the
inner layer from the outer layer.
Each
shaded band is a layer of protection and control.
\endash
Sphere of
Protection
The
“sphere of protection” overlays each of the levels of the “sphere of use” with
a layer of security, protecting that layer from direct or indirect use through
the next layer
The
people must become a layer of security, a human
firewall that protects the information from unauthorized access and use
Information
security is therefore designed and implemented in three layers
–
policies
–
people
(education, training, and awareness programs)
–
technology
4.6.7 As
illustrated in the sphere of protection, a variety of controls can be used to
protect the information.
4.6.8 The items
of control shown in the figure are not intended to be comprehensive but rather
illustrate individual safeguards that can protect the various systems that are
located closer to the center of the sphere.
4.6.9 However,
because people can directly access each ring as well as the information at the
core of the model, the side of the sphere of protection that attempt to control
access by relying on people requires a different approach to security than the
side that uses technology.
3 Level of Control
Management Controls
ü Risk
Management
ü Review of
Security Controls
ü Life
Cycle Maintenance
ü Authorization
of Processing (Certification and Accreditation)
ü System
Security Plan
Operational Controls
ü Personnel
Security
ü Physical
Security
ü Production,
Input/Output Controls
ü Contingency
Planning
ü Hardware
and Systems Software
ü Data
Integrity
ü Documentation
ü Security
Awareness, Training, and Education
ü Incident
Response Capability
Technical Controls
ü Identification
and Authentication
ü Logical
Access Controls
ü Audit
Trails
Management controls
ü It address
the design and implementation of the security planning process and security
program management.
ü They also
address risk management and security control reviews. They further describe the
necessity and scope of legal compliance and the maintenance of the entire
security life cycle.
Operational controls
ü It deal
with the operational functionality of security in the organization. They
include management functions and lower level planning, such as disaster
recovery and incident response planning.
ü They also
address personnel security, physical security, and the protection of production
inputs and outputs.
ü They
guide the development of education, training and awareness programs for users,
administrators, and management. Finally, they address hardware and software
systems maintenance and the integrity of data.
Technical controls
1. It
address the tactical and technical issues related to designing and implementing
security in the organization, as well as issues related to examining and
selecting the technologies appropriate to protecting information.
2. They
address the specifics of technology selection and the acquisition of certain
technical components. They also include logical access controls, such as
identification, authentication, authorization, and accountability.
3. They
cover cryptography to protect information in storage and transit. Finally, they
include the classification of assets and users, to facilitate the authorization
levels needed.
Using the
three sets of controls, the organization should be able to specify controls to
cover the entire spectrum of safeguards, from strategic to tactical, and from
managerial to technical.
5.
Defense
in Depth
One of
the basic foundations of security architectures is the implementation of
security in layers. This layered approach is called defense in depth.
Defense
in depth requires that the organization establish sufficient security controls
and safeguards, so that an intruder faces multiple layers of controls.
These
layers of control can be organized into policy, training and education and
technology as per the NSTISSC model.
While
policy itself may not prevent attacks, they coupled with other layers and deter
attacks.
Training
and Education are similar.
Technology
is also implemented in layers, with detection equipment, all operating behind
access control mechanisms.
Implementing
multiple types of technology and thereby preventing the failure of one system
from compromising the security of the information is referred to as redundancy.
Redundancy
can be implemented at a number of points throughout the security architecture,
such as firewalls, proxy servers, and access controls. The figure shows the use
of firewalls and intrusion detection systems(IDS) that use both packet-level
rules and data content.
Security Perimeter
ü A
Security Perimeter is the first level of security that protects all internal
systems from outside threats.
ü Unfortunately,
the perimeter does not protect against internal attacks from employee threats,
or on-site physical threats.
ü Security
perimeters can effectively be implemented as multiple technologies that
segregate the protected information from those who would attack it.
ü Within
security perimeters the organization can establish security domains, or areas
of trust within which users can freely communicate.
ü The
presence and nature of the security perimeter is an essential element of the
overall security framework, and the details of implementing the perimeter make
up a great deal of the particulars of the completed security blueprint.
ü The key
components used for planning the perimeter are presented in the following
sections on firewalls, DMZs, proxy servers, and intrusion detection systems.
ü
Key
Technology Components
Other key
technology components
– A firewall is a device that selectively
discriminates against information flowing
into or
out of the organization.
– Firewalls
are usually placed on the security perimeter, just behind or as part of a gateway
router.
– Firewalls
can be packet filtering, stateful packet filtering, proxy, or application level.
– A
Firewall can be a single device or a
firewall subnet, which
consists of multiple firewalls
creating a buffer between the outside and inside networks.
– The DMZ (demilitarized zone) is a
no-man’s land, between the inside and outside networks, where some organizations place Web
servers
– These
servers provide access to organizational web pages, without allowing Web requests to enter the interior
networks.
– Proxy server- An alternative approach to the strategies of using
a firewall subnet or a DMZ
is to use a proxy server, or proxy firewall.
– When an
outside client requests a particular Web page, the proxy server receives the request as if it were the
subject of the request, then asks for the same information from the true Web
server(acting as a proxy for the requestor), and then responds to the request
as a proxy for the true Web server.
– For more
frequently accessed Web pages, proxy servers can cache or temporarily store the page, and thus are
sometimes called cache servers.
– Intrusion Detection Systems (IDSs). In an effort to detect
unauthorized activity within
the inner network, or on individual machines, an organization may wish to
implement Intrusion Detection Systems or
IDS.
–
IDs come in two versions. Host-based
& Network-based IDSs.
– Host-based IDSs are usually installed on the machines they protect
to monitor the status of
various files stored on those machines.
– Network-based IDSs look at patterns of network
traffic and attempt to detect unusual
activity based on previous baselines.
– This
could include packets coming into the organization’s networks with addresses from machines already
within the organization (IP spoofing).
– It could
also include high volumes of traffic going to outside addresses (as in cases of data theft) or coming
into the network (as in a denial of service attack).
–
Both
host-and network based IDSs require a database of previous activity.
1
Security
Education, Training, and Awareness Program
ü As soon
as general security policy exists, policies to implement security education, training
and awareness (SETA) program should follow.
ü SETA is a
control measure designed to reduce accidental security breaches by employees.
ü Security
education and training builds on the general knowledge the employees must
possess to do their jobs, familiarizing them with the way to do their jobs
securely
4.7.4 The SETA
program consists of three elements: security education; security training; and
security awareness
4.7.5 The
purpose of SETA is to enhance security by:
ü Improving
awareness of the need to protect system resources.
ü Developing
skills and knowledge so computer users can perform their jobs more securely.
ü Building
in-depth knowledge, as needed, to design, implement, or operate security
programs for organizations and systems.
Security Education
1 Everyone
in an organization needs to be trained and aware of information security, but
not every member of the organization needs a formal degree or certificate in
information security.
2 A number
of universities have formal coursework in information security.
3 For those
interested in researching formal information security programs, there are
resources available, such as the NSA-identified Centers of Excellence in
Information Assurance Education.
Security Training
· It
involves providing members of the organization with detailed information and
hands-on instruction to prepare them to perform their duties securely.
· Management
of information security can develop customized in-house training or outsource
the training program.
Security Awareness
ü One of
the least frequently implemented, but most beneficial programs is the security
awareness program
ü Designed
to keep information security at the forefront of users’ minds
ü Need not
be complicated or expensive
ü If the
program is not actively implemented, employees may begin to “tune out” and risk
of employee accidents and failures increases
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.