Security information management (SIM) is an industry term related to information security referring to the collection of data (typically log files) into a central repository for trend analysis. SIM products generally are software agents running on the systems to be monitored, which then send the log information to a centralized server acting as a “security console.” The console typically displays reports, charts, and graphs of that information, often in real-time. Some software agents can incorporate local filters, to reduce and manipulate the data that they send to the server, although typically from a forensic point of view you would collect all audit and accounting logs to ensure you can recreate a security incident. Show
The security console is monitored by a human being, who reviews the consolidated information, and takes action in response to any alerts issued. The data that is sent to the server, to be correlated and analyzed, are normalized by the software agents into a common form, usually XML. Those data are then aggregated, in order to reduce their overall size. The terminology can easily be mistaken as a reference to the whole aspect of protecting one's infrastructure from any computer security breach. Due to historic reasons of terminology evolution; SIM refers to just the part of information security which consists of discovery of “bad behavior” by using data collection techniques. The term commonly used to represent an entire security infrastructure that protects an environment is commonly called information security management (InfoSec). Read moreNavigate DownView chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128024591000117 Auditing in ContextStephen D. Gantz, in The Basics of IT Audit, 2014 The role of IT audit in information security managementInformation security management supports IT auditing by taking responsibility for implementing and correctly configuring internal controls related to security. Security controls are an important subject of internal controls, but still a subset, meaning information security does not cover the full range of IT controls in an organization. IT auditing also supports information security management, by providing detailed, critical examinations of internal controls implemented to achieve security objectives and by confirming that IT operations match organizational policies, procedures, standards, and guidelines. As noted in Chapter 6, security criteria apply in audits of virtually every type of IT component that might be subject to an IT audit. IT audit procedures are also useful for some types of narrowly scoped examinations, such as checking a system or network device for proper configuration against a specification such as the Defense Information Systems Agency’s Security Technical Implementation Guides (STIGs) [27] or U.S. Government Configuration Baseline (USGCB) [28], or secure configuration guidelines provided by technology vendors for their products. Information security management programs are also the subject of IT audits. ISO/IEC 27001 emphasizes the importance of auditing an organization’s ISMS using formal internal audit procedures to examine security control objectives, implemented controls, and processes and procedures for operating, maintaining, and improving the ISMS [26]. Information security programs may be subject to formal review, inspection, or audit, depending on the industry and the nature of oversight to which an organization is subject. Examination of security controls is also an element of many types of internal and external audits of internal controls including those focused on control of financial accounting and reporting systems in publicly traded companies. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978012417159600002X Auditing and Security IncidentsTariq Bin Azad, in Securing Citrix Presentation Server in the Enterprise, 2008 Security Information ManagementA SIM solution at its heart is nothing more or less than a log collector and its correlation engine. The log collector's role is to acquire the log, normalize it (that is, translate the log data into the schema used by the vendor), then pass it on to the correlation engine. The correlation engine uses rules, signatures (though not always), and sophisticated logic to deduce patterns and intent from the traffic it sees originating at the host operating system (OS) and network layers. Well-designed SIM technologies try to distribute much of the “heavy lifting” in terms of moving data, but the actual analysis of that data must be centralized in some form. A SIM solution must be scalable! In other words, wherever your business has data, you should have some central point where a log collector is going to have a reasonable chance of receiving your logs, then passing them on. If you have an important subsidiary that handles significant volumes of data, you don't want your log collector at a remote office. You need to have it near where the data flows and where it is stored. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978159749281200010X Federal Information Security FundamentalsStephen D. Gantz, Daniel R. Philpott, in FISMA and the Risk Management Framework, 2013 Civilian, Defense, and Intelligence Sector PracticesInformation security management programs operate similarly across different government organizations, but differences exist among agencies in each of three primary sectors: civilian, defense, and intelligence. While all government agencies perform many of the same activities—including security categorization; security control selection, implementation, and assessment; certification and accreditation; and operational security monitoring—the policies, procedures, and guidelines for information security vary among the civilian, defense, and intelligence domains. Under authority delegated by FISMA, oversight of agency information security programs and information systems is different in each sector as well—while the Director of OMB oversees executive agencies in general, the Secretary of Defense and Director of Central Intelligence [20] have authority for systems operated by or on behalf of Department of Defense and the Central Intelligence Agency, respectively [21]. Additional government regulations and policies outside the scope of most FISMA provisions govern national security systems, regardless of the agency that operates them. FISMA directs agencies operating or controlling national security systems to implement the separate standards and guidelines that apply to those systems; the multi-agency Committee on National Security Systems is responsible for establishing those standards and guidelines [22]. Key differences among the security management practices in each sector include the primary sources of policies, standards, and guidance for each type of agency, approaches to information classification and security categorization, recommended security control frameworks, and procedures for system certification and accreditation. NoteDespite language in FISMA requiring agencies operating national security systems to provide “information security protections commensurate with the risk and magnitude of the harm” that would result from a loss of confidentiality, integrity, or availability [23], authoritative federal policy on national security systems does not incorporate risk-based security practices. National Security Directive 42, which establishes national policy for these systems, states, “national security systems shall be secured by such means as are necessary (emphasis added) to prevent compromise, denial, or exploitation,” [24] echoing similar policy language issued several years earlier in National Security Decision Directive 145 for federal systems that process classified information [25]. NSD-42 stresses the importance of maintaining or improving government capabilities to secure national security systems against threats, implying that the primary objective is security, not risk-adjusted security. The policy objectives include effective and efficient use of resources, but there is no consideration of risk anywhere in the directives. Sources of GuidanceThe civilian, defense, and intelligence sectors each have their own primary sources of policies, standards, and guidance on the protection of federal information systems and the information those systems store, process, and make available to authorized users. The Computer Security Act of 1987 assigned responsibility to the National Institute of Standards and Technology for developing standards and guidance to improve the security and privacy of federal computer systems [26], authority reaffirmed in FISMA that makes NIST a government-wide provider of authoritative guidance and the primary source for civilian agencies. In the federal defense sector, the National Security Agency has long developed substantial security technical guidelines and standards, contributing guidance to government-wide programs in all sectors and supporting the establishment of effective security protective measures for federal information systems in general and national security systems in particular. Under authority in FISMA given to the Secretary of Defense to develop and oversee the implementation of security policy, standards, and guidelines, the Department of Defense Chief Information Officer issues a large number of policy and technical directives, regulations, instructions, and manuals governing information security programs and information assurance activities throughout the defense sector [27]. These DoD materials largely apply to FISMA-covered systems, as a separate set of policies, directives, instructions, and standards apply to national security systems, regardless of the agency that operates them. This special class of systems is addressed in guidance from the Committee on National Security Systems (CNSS), which sets government-wide policy, procedures, and standards for national security systems. CNSS members include many civilian agencies in addition to DoD `components and intelligence agencies, with executive oversight for the Committee provided by the Secretary of Defense and managerial and technical leadership provided by the National Security Agency [22]. All agencies responsible for national security systems follow CNSS guidance, but given the large proportion of intelligence community systems designated as such, the CNSS is the primary source of security guidance for intelligence agencies. Information Classification and Security CategorizationAll federal agencies perform some type of information asset categorization to help determine the appropriate security and privacy safeguards to put in place. The general procedure is specified in the mandatory Federal Information Processing Standards Publication 199 (FIPS 199), which directs agencies to evaluate different types of information and the information systems on which those information types reside [28]. This standard applies low, moderate, or high designations to the three core security objectives of confidentiality, integrity, and availability. Security categorization using FIPS 199 results in three-part ratings for each information type and information system. The overall security categorization is the highest individual rating—so for example an information type categorized as low for availability and low for integrity but high for confidentiality would be assigned an overall rating of high. Similarly, an information system’s categorization is always at least as high as the minimum categorization of any of the information types associated with the system. The overall system categorization drives the set of security controls needed to satisfy minimum security requirements. FIPS 199 applies to federal information systems other than national security systems, but in defense and intelligence sector agencies with information security programs covering both national security systems and less sensitive information systems, agencies and their system owners tend to use the same classification schemes for all systems. In the defense context, system owners assign a mission assurance category (MAC) for each system and a confidentiality level for the information associated with the system. In contrast to the system categorization process in FIPS 199 that considers each security objective first to arrive at the appropriate categorization, defense system owners assign mission assurance categories based on standard definitions, and each MAC level has corresponding integrity and availability levels, listed in Table 2.1. Confidentiality is determined separately, using one of three standard levels: classified, sensitive, or public. The result of using distinct MAC and confidentiality level ratings is nine possible combinations, each of which corresponds to sets of required information assurance controls [29]. Table 2.1. Mission Assurance Categorization Levels [30] MAC LevelDefinitionIntegrityAvailabilityIThese systems handle information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness.HighHighIIThese systems handle information that is important to the support of deployed and contingency forces.HighMediumIIIThese systems handle information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term.BasicBasic Agencies in the intelligence community use formal data classification schemes similar to the ones used by the Department of Defense, in general applying one of three designations to information—top secret, secret, or confidential—specified in Executive Order 12958, [31] where the classification level is based on the harm or damage that could occur due to unauthorized information disclosure. Concerns over inconsistent classification procedures among intelligence agencies led to a set of recommendations produced in 2008 to establish a standard classification guide for the intelligence community [32]. These recommendations, coupled with the participation of the Office of the Director of National Intelligence and the Committee on National Security Systems on the Joint Task Force Transformation Initiative Interagency Working Group, resulted in new guidance in 2009 from CNSS on security categorization and control selection that largely adopts FIPS 199 and the security control framework specified in NIST Special Publication 800-53 [33]. The CNSS guidance maintains separate ratings for each information type for confidentiality, integrity, and availability, and assigns each information system the highest categorization for each security objective among all of the information types applicable to the system. Because any given system can be assigned one of three impact ratings for confidentiality, integrity, and availability, there are 27 possible security categorizations for systems covered by CNSS policy. NoteThe diversity of information classification approaches used among agencies is not limited to the intelligence community or to highly sensitive information. In a series of executive orders and subsequent guidance the government introduced the standard term controlled unclassified information to refer to all information that does not rise to the level of sensitivity requiring national security classification but nonetheless requires protection from unauthorized disclosure or demands other security and privacy safeguards [34]. Security ControlsInformation and systems categorized using FIPS 199 are also subject to FIPS 200, which establishes minimum security requirements for systems based on the impact level assigned in the security categorization process. FIPS 200 directs agencies to implement minimum security requirements for their information systems using the security control framework specified in Special Publication 800-53 [35]. Agencies in all government sectors (as well as commercial organizations) use security control frameworks similar in structure to the one NIST maintains, where individual security controls are organized into functional groups. NIST defines 18 security control “families” comprising 198 individual controls [36]. System owners in the Department of Defense select from among 157 controls organized into eight subject areas [29]. Many public and private sector organizations follow the information security management code of practice described in ISO/IEC 27002, which identifies 133 controls across 11 clauses (categories) that collectively define information security practices relevant to a system or an organization [37]. The selection and implementation of controls necessary to satisfy information system security requirements are core activities in the NIST Risk Management Framework and in alternative system authorization methodologies used in the defense and intelligence sectors. Certification and Accreditation ProcessAppendix III of OMB Circular A-130 requires agencies to authorize processing for federal information systems, including general support systems and major applications. System authorization—accomplished through the use of certification and accreditation process—is a formal, written approval that adequate security protection exists for a system before it becomes operational. Not every system is subject to individual certification and accreditation—OMB defines major applications as those requiring “special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application” [38]. Systems not meeting this standard still require some level of protection, but agencies often incorporate non-major applications within the scope of security protection provided by the general support system in which those applications reside. Agencies certifying and accrediting information systems in the civilian, defense, and intelligence sectors follow different processes, each described in more detail in the Certification and Accreditation section later in this chapter. The core tasks and activities in all of these processes are quite similar, and the different sectors are moving towards a common government-wide methodology through the efforts of the Joint Task Force Transformation Initiative. Based on applicable policies and agencies guidance current as of 2012, civilian agencies follow the certification and accreditation process embedded in the NIST Risk Management Framework, [39] defense agencies follow the DoD Information Assurance Certification and Accreditation Process (DIACAP), [40] and intelligence agencies and others operating national security systems are migrating from the National Information Assurance Certification and Accreditation Process (NIACAP) [41] to the RMF. WarningThe terms certification and accreditation are widely used in both public sector and commercial information security management, but their meaning differs between government and non-government contexts, and even varies within government usage. In federal information system certification and accreditation process, including the RMF, DIACAP, and NIACAP, certification refers to the evaluation and affirmation of the extent to which the security controls implemented for a system meet the system’s security requirements, in support of an accreditation decision. Accreditation is the formal decision by an authorizing official that a system’s implemented security controls and residual risk are acceptable to the organization and that the system is approved to be put into operation. Beyond the scope of authorizing processing for information systems, certification typically indicates compliance, such as with a specific standard or set of requirements, while accreditation refers to the endorsement of an organization as minimally competent to perform a particular function or serve in a particular capacity. For instance, many organizations seek ISO certification to demonstrate conformance with various standards, including those related to information security such as ISO 27001. Such certifications are granted by accredited registrars or other organizations explicitly approved to serve as certification bodies. Both connotations apply to NIST, whose FISMA Implementation Program issues guidance for conducting certification and accreditation of federal information systems, and whose National Voluntary Laboratory Accreditation Program evaluates and approves many types of laboratories as qualified to certify different products for conformance to applicable standards. It is important to clearly specify the context when referring to certification and accreditation activities to avoid potential confusion when using these terms. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597496414000023 Information Technology Security ManagementRahul Bhaskar, Bhushan Kapoor, in Managing Information Security (Second Edition), 2014 1 Information Security Management StandardsA range of standards are specified by various industry bodies. Although specific to an industry, these standards can be used by any organization and adapted to its goals. Here we discuss the main organizations that set standards related to information security management. Federal Information Security Management ActAt the U.S. federal level, the National Institute of Standards and Technology (NIST) has specified guidelines for implementing the Federal Information Security Management Act (FISMA). This act aims to provide the following standards shown in Figure 3.1.  Figure 3.1. Specifications in the Federal Information Security Management Act.2 The “Federal Information Security Management Framework Recommended by NIST”1 sidebar describes the risk management framework as specified in FISMA. The activities specified in this framework are paramount in implementing an IT security management plan. Although specified for the federal government, this framework can be used as a guideline by any organization. Federal Information Security Management Framework Recommended by NISTStep 1: CategorizeIn this step, information systems and internal information should be categorized based on impact. Step 2: SelectUse the categorization in the first step to select an initial set of security controls for the information system and apply tailoring guidance as appropriate, to obtain a starting point for required controls. Step 3: SupplementAssess the risk and local conditions, including the security requirements, specific threat information, and cost/benefit analyses or special circumstances. Supplement the initial set of security controls with the supplement analyses. Step 4: DocumentThe original set of security controls and the supplements should be documented. Step 5: ImplementThe security controls you identified and supplemented should be implemented in the organization’s information systems. Step 6: AssessThe security controls should be assessed to determine whether the controls are implemented correctly, are operating as intended, and are producing the desired outcome with respect to meeting the security requirements for the system. Step 7: AuthorizeUpon a determination of the risk to organizational operations, organizational assets, or individuals resulting from their operation, authorize the information systems. Step 8: MonitorMonitor and assess selected security controls in the information system on a continuous basis, including documenting changes to the system. International Standards OrganizationAnother influential international body, the International Standards Organization and the International Electro Technical Commission, published ISO/IEC 17799:2005.4 These standards establish guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. The standards consist of best practices of control objectives and controls in the areas of information security management shown in Figure 3.2. Figure 3.2. International Standards Organization best-practice areas.3 These objectives and controls are intended to be implemented to meet the requirements identified by a risk assessment. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166882000039 Thinking About SystemsStephen D. Gantz, Daniel R. Philpott, in FISMA and the Risk Management Framework, 2013 Information Security ManagementFrom an information security and risk management perspective, federal agencies view information systems and the information they contain as key organizational assets enabling successful mission execution and the effective performance of mission-centric and supporting business and administrative functions. Although this view is consistent with capital planning and enterprise architecture perspectives, the focus on systems within information security risk management emphasizes the provision of adequate security for information systems through the application of the Risk Management Framework process to obtain and maintain authorizations to operate. Performing information security risk management effectively and efficiently requires agencies and their system owners to clearly define the appropriate boundaries for organizational information systems. Information system boundaries help determine the scope of control and agency responsibilities for protecting information systems and identify the organizational resources, operating environments, technical components, and governance applicable to each information system. Information system boundaries correspond to information system management responsibilities at all levels of the organization—and potentially outside the organization in the case of externally provided systems, components, or services—including information owners, information system owners, authorizing officials, and operational security personnel at the individual information system level. Establishing the information system boundary is part of describing the information system in step 1 of the RMF, in which agencies identify the information resources associated with a system and the point of management control or authority over those resources [32]. Agencies need to strike the appropriate balance between defining information system boundaries broadly—potentially adding complexity to risk management processes—and defining boundaries more narrowly, which increases the number of information systems and corresponding operational and management resources allocated to provide adequate security and ensure compliance with FISMA and other applicable regulations. The security management perspective on information systems also focuses on the system as a source of risk to the organization, whether as a target for compromise that exposes the organization to adverse impact or as an essential asset on which mission functions and business processes depend. NIST emphasizes this point explicitly in its risk management guidance to agencies [33] and by focusing the application of the Risk Management Framework on information systems. The language in FISMA and associated NIST guidance to agencies highlights the importance of integrating security management with strategic and operational planning processes at the organizational level [34] and with key activities in all phases of the system development life cycle (SDLC) [35]. To achieve the sort of integrated management envisioned for federal information systems, agencies and their system owners need to address multiple system-based perspectives simultaneously, using explicit information resources management governance processes and the implementation of comprehensive program management or system development life cycle methodologies. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597496414000047 Information Technology Security ManagementRahul Bhaskar, Bhushan Kapoor, in Computer and Information Security Handbook (Second Edition), 2013 Federal Information Security Management ActAt the U.S. federal level, the National Institute of Standards and Technology (NIST) has specified guidelines for implementing the Federal Information Security Management Act (FISMA). This act aims to provide the following standards shown in Figure 24.1. Figure 24.1. Specifications in the Federal Information Security Management Act.1 The “Federal Information Security Management Framework Recommended by NIST”2 sidebar describes the risk management framework as specified in FISMA. The activities specified in this framework are paramount in implementing an IT security management plan. Although specified for the federal government, this framework can be used as a guideline by any organization. Federal Information Security Management Framework Recommended by NISTStep 1: CategorizeIn this step, information systems and internal information should be categorized based on impact. Step 2: SelectUse the categorization in the first step to select an initial set of security controls for the information system and apply tailoring guidance as appropriate, to obtain a starting point for required controls. Step 3: SupplementAssess the risk and local conditions, including the security requirements, specific threat information, and cost/benefit analyses or special circumstances. Supplement the initial set of security controls with the supplement analyses. Step 4: DocumentThe original set of security controls and the supplements should be documented. Step 5: ImplementThe security controls you identified and supplemented should be implemented in the organization’s information systems. Step 6: AssessThe security controls should be assessed to determine whether the controls are implemented correctly, are operating as intended, and are producing the desired outcome with respect to meeting the security requirements for the system. Step 7: AuthorizeUpon a determination of the risk to organizational operations, organizational assets, or individuals resulting from their operation, authorize the information systems. Step 8: MonitorMonitor and assess selected security controls in the information system on a continuous basis, including documenting changes to the system. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123943972000246 Risk ManagementDavid Watson, Andrew Jones, in Digital Forensics Processing and Procedures, 2013 5.4.3.3 Information Security Management TeamThe responsibility for the security of the Forensic Laboratory’s information and information-processing systems will ultimately rest with Top Management, supported by the ISM. The ISM may be supported in this task by an Information Security Management Team, whose size will depend on the size of the Forensic Laboratory and its identified needs. Where it exists, the Information Security Management Team undertakes the following: •assist in developing, implementing, and monitoring information security matters, including risk management; •assist the Human Resources Department in the areas of information security and investigations, including training and awareness; •manage and monitor information security incidents; •operational management and monitoring of control systems; •perform internal audits of information security controls; •provision of advice on information security matters to the Forensic Laboratory, its projects, and trading partners, as appropriate; •undertake business continuity management responsibilities. This is not an exhaustive list but is possibly the minimum set of requirements for an Information Security Management Team tasking. Where the Information Security management team does not exist, these functions are performed by the ISM. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597497428000054 Information Technology Security ManagementRahul Bhaskar, Bhushan Kapoor, in Computer and Information Security Handbook (Third Edition), 2013 2 Other Organizations Involved in StandardsOther organizations that are involved in information security management include the Internet Society3 and the Information Security Forum.4 These are professional societies with members in the thousands. The Internet Society is the organizational home for groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force and the Internet Architecture Board. The Information Security Forum is a global nonprofit organization composed of several hundred leading organizations in financial services, manufacturing, telecommunications, consumer goods, government, and other areas. It provides research into best practices and advice, summarized in its biannual Standard of Good Practice, which incorporates detailed specifications across many areas. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128038437000272 Federal InitiativesStephen D. Gantz, Daniel R. Philpott, in FISMA and the Risk Management Framework, 2013 SummaryAlthough FISMA drives many aspects of information security management in government organizations, agency personnel with risk management and information security responsibilities are influenced by a wide array of government initiatives beyond FISMA with significant security management implications. Agencies continue to have broad authority to determine their own security requirements and structure information security programs and practices in whatever manner they find most effective, but policy directives, technical standards, and other government-wide obligations may constrain agency and system owner decisions and courses of action. Common services or security technologies available to agencies may provide opportunities for agencies to make cost-effective improvements to security operations, provision new or enhanced capabilities, or achieve interoperability with other government organizations. This chapter identified and briefly described a variety of federal initiatives relevant to agency security management, explaining key expectations for agencies and system owners and noting points of intersection or overlap between federal initiatives and agency practices under the Risk Management Framework. Who is responsible for implementing information security?While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Owner's responsibility to review and approve these standards and procedures.
Who is responsible for developing and implementing security programs for an organization?But generally speaking, the chief educational administrator and his or her employees need to shoulder the responsibility of protecting their system because, after all, it is their system. They are the people who know it best and they will be the ones who have to implement adopted security policy.
What organization is responsible for the administration of the data security standards?The Cybersecurity and Infrastructure Security Agency (CISA ) leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.
Who is responsible for information security in Infosys?The Information Security Council (ISC) is the governing body at Infosys that focuses on establishing, directing and monitoring of our information security governance framework.
|
