TaylorMaid Security
|
Information Security - From Principles to Policy |
||||
|
http://come.to/TaylorMaid/ |
Author: Martin Taylor |
22Mar04 |
Ó TaylorMaid Security |
|
|
Purpose |
The purpose of this document is to make the information below available for public scrutiny and to move forward the art and science of Information Security. |
|
Scope |
The document majors on Information Security, and within that, attempts to crystallise the subject into its fundamental foundational principles. |
|
Copyright |
The copyright and intellectual property rights for this document belong to TaylorMaid Security. The document may be copied provided the header information including this section is retained. The information may be used for purposes where there is no financial gain provided acknowledgment is given to TaylorMaid Security. Persons wishing to use the information for purposes where there is an element of financial gain may apply for permission for such use to TaylorMaid Security. |
1 The Hypothesis
Information security policies, standards and guidelines are derived from a set of fundamental principles (axioms).
1.1 Corollary 1
It should be possible to derive any given security policy, standard or guideline from these axioms, with the addition only of common sense.
1.2 Corollary 2
Individuals with a knowledge and understanding of these axioms and who have applied them in an organisational environment are deemed security experts.
1.3 Conditions
The fundamental principles must be
1.4 Note
The extent to which principles should be applied will be interpreted differently by different groupings of people, as the principles will be influenced by culture.
2 The Principles
Information is one of the organisation's most valuable resources. Information assets include the information itself and the means by which that information is stored, transported and processed. Without such information assets, the organisation would not be able to pursue its objectives.
Information can be harmed by affecting one or more of its properties:-
2.3 The Information World is Complex
The world where information is stored, transported and processed is complex. No single person understands the entirety of the possible interactions within a set of information storage/process/transport mechanisms. There is potential for loss or harm to information through an action or indeed inaction. It is not always possible to predict the outcome. Add to that the potential for catastrophe from the natural world, and information is at noticeable risk of loss or harm.
We are all fallible. Some individuals will be hostile toward some information. Some individuals will not take due care. Some will not easily understand instructions. It is likely that information will suffer loss or harm through accident. It is possible that information will suffer loss or harm through deliberate acts.
Valuable information requires protection. Information shall be protected by controls designed to minimise loss or harm through accident, negligence or deliberate actions.
2.6 Top Management Due Diligence
The primary leaders within an organisation have a duty of care to ensure that due diligence is paid to information security. They are responsible and accountable for the overall actions of an organisation and are thus ultimately responsible for all information within the organisation. To discharge that responsibility they must ensure that responsibility and appropriate authority are delegated throughout the organisation
Information shall be assigned an owner who will ensure appropriate levels of protection are applied.
Consistent with financial risk and operational risk, information risk shall be considered and afforded a priority in all decisions within an organisation.
A risk assessment process balancing vulnerability to threats against cost shall be used in deciding appropriate controls to be used to protect information.
2.10 Individual Accountability
Each individual shall be accountable for their actions and have a duty of care to ensure due diligence is afforded to information security. Accountability can not be delegated.
2.11 Secure by default
Information assets should be secured unless specifically authorised otherwise. Information assets include information and the means by which that information is stored, transported and processed.
2.12 Openness
Information should be made available to enable organisational operations to function.
Some information shall have additional restrictions applied to ensure access only by those with an authorised ‘need to know’.
3 Secondary (Derived) Principles
3.1.1 Chief Information Officer
From 2.1 Information is Valuable and 2.6 Top Management Due Diligence and 2.7 Information Ownership the primary leaders within an organisation will appoint an individual to take responsibility for how information within the organisation is stored, processed and transported. This individual will be referred to here as the Chief Information Officer.
3.1.2 Chief Information Protection Officer
3.1.3 Information Protection Office
Using 2.9 Risk Assessment and Common Sense, the CIPO will work with the primary leaders of the organisation to justify and create a Security Group that is appropriate for the organisation. The group will be responsible under the CIPO for setting and policing information security policy.
3.2 Deriving the Need for Policy, Standards and Guidelines from the Principles
From 2.1 Information is Valuable and Common Sense, not all information assets will have the same value. From 2.13 Need to Know, individuals in the organisation will need to know the rules governing behaviour towards different types of information assets. It is therefore important to define the policy, standards and guidelines that describe this.
From 2.1 Information is Valuable and 2.5 Information Protection using 2.9 Risk Assessment. Because a) the loss of information is costly and b) it is costly to correct information after an incident and c) because many controls cost little to put into effect :- There is a baseline set of controls, which is cost effective to apply to all information within an organisation.
Because 2.4 Individuals are human and may do things that they ought not, they should not be placed in positions where it is easy to do the wrong thing. For example, the person who is allowed to create accounts that may be sent payments should not be the same person who authorises payments to those accounts, lest they create false accounts and siphon the organisation's funds into them.
3.5 Information Classification
From 2.1 Information is Valuable and Common Sense, not all information will have the same value.
From 2.13 Need to Know, individuals in the organisation will need to know the relative sensitivity of different information. It is therefore useful to categorise information into groups that have roughly similar value.
Working with the 2.7 Information Ownership using 2.9 Risk Assessment to extend 2.5 Information Protection beyond 3.3 Baseline Controls, the different categories can then be given appropriate extra protection beyond the baseline as appropriate.
3.5.1 Information Asset Register
From Common Sense, this will be easier and more comprehensive if organised logically and hence it is sensible to maintain a register of information assets.
3.5.2 Information Classification Officer
From Common Sense, a categorisation of information is information in its own right. From 2.7 Information Ownership an owner should be assigned to the categorisation. This individual will be referred to as the Information Classification Officer.
The Information Classification Officer will define the classification policy and provide guidelines on how it will be operated in practice.
From 2.1 Information is Valuable and 3.4 Separation of Duties, the Information Classification Officer will not be the person who administers other information controls.
3.6 Threats and Vulnerabilities
From 2.3 The Information World is Complex and 2.4 Individuals are human, there are an infinite number of ways by which 2.2 Information can be harmed. The collective term normally given to these is 'Threats' and the likelihood of a particular threat occurring is often referred to as the 'Vulnerability'.
Whilst attempts have been made to describe using mathematics the relationship between Risk (2.9 Risk Assessment) and 3.6 Threats and Vulnerabilities - often because the use of mathematical symbols can give some insight - it is difficult to be rigorous with the maths. There is a relationship where part of the overall Risk is a combination of the impact of a specific threat on information and the vulnerability of the information to that threat. However, to describe this relationship properly requires use of notation not used by the average person. To describe risk using only basic arithmetic symbols leads to an inaccurate description.
4 People
4.1 Individuals are Information Assets
From Common Sense, individuals are capable in and of themselves of storing, processing and transporting information. That information may give them a value that is separable from their inherent value as human beings.
From 2.4 Individuals are human and 2.9 Risk Assessment the risk to information assets from individuals should be reduced by assessing their risk to the organisation before allowing access to categories of information (e.g. prior to employment, prior to promotion, prior to assignment to a sensitive project).
4.3 Employment Contract Clauses
From 4.2 Clearance and 2.5 Information Protection, controls should be introduced e.g. via the contract of employment to limit risk posed by individuals, and to clarify the consequences of inappropriate behaviour. E.g. confidentiality clauses, disciplinary processes etc. Particular care shall be taken when employing individuals (or companies as they are collections of individuals). Further care must be taken on termination.
4.4 Awareness and Training
From 2.4 Individuals are human, 2.3 The Information World is Complex and Common Sense, risk can be reduced further by appropriate education and training. E.g. information responsibilities in job descriptions, job specific training, awareness of policy etc.
4.5 Individuals may need protection
From 4.1 Individuals are Information Assets, 2.1 Information is Valuable and 2.5 Information Protection, individuals with access to particularly valuable information may need extra protection. There are circumstances in which the information that an individual knows will result in threats against them and their families. Consideration should be given to this using 2.9 Risk Assessment.
Beyond this point are appendices where the principles above are applied to various other security related documents. The purpose is to demonstrate that the principles are in fact sufficient to derive all security policies etc. as claimed.
The appendices are still a work in progress.
Appendix A Deriving the BS7799 10 controls from the Principles
1 Security Policy
From 2.1 Information is Valuable and Common Sense, not all information assets will have the same value. From 2.13 Need to Know, individuals in the organisation will need to know the rules governing behaviour towards different types of information assets. It is therefore important to define the policy, standards and guidelines that describe this. From 2.6 Top Management Due Diligence the primary leaders in an organisation must support the policy, standards and guidelines as the embodiment of the requirements for security.
The requirements for security are to be set at the highest level and supported by ‘top management’. The policy is the starting point of an effective security infrastructure and is supported by the relevant standards and procedures.
2 Security organisation
From 2.1 Information is Valuable and 2.6 Top Management Due Diligence and 2.7 Information Ownership. The primary leaders within an organisation will ensure the appointment of an individual to take responsibility for setting policy on how information assets within the organisation are protected. This individual will be referred to here as the 3.1.2 Chief Information Protection Officer. Using 2.9 Risk Assessment and Common Sense, the CIPO will work with the primary leaders of the organisation to justify and create a Security Group that is appropriate for the organisation. The group will be responsible under the CIPO for setting and policing information security policy.
A security organisation should be in place that has adequate authority to monitor internal and external information security and has contacts with similar professionals outside the organisation.
3 Asset classification and control
From 2.1 Information is Valuable and Common Sense, not all information will have the same value.
From 2.13 Need to Know, individuals in the organisation will need to know the relative sensitivity of different information. It is therefore useful to categorise information into groups that have roughly similar value.
Working with the 2.7 Information Ownership using 2.9 Risk Assessment to extend 2.5 Information Protection beyond 3.3 Baseline Controls the different categories can then be given appropriate extra protection beyond the baseline as appropriate.
From Common Sense, this will be easier and more comprehensive if organised logically and hence it is sensible to maintain a register of information assets.
Information should be assigned a value commensurate with the impact of the loss or unavailability of that information to the organisation. Information should be treated as an asset, with a register of all assets maintained. All assets must have an ‘owner’ who is responsible for ensuring that adequate care is taken of the asset.
4 Personnel security
From 2.4 Individuals are human and 2.9 Risk Assessment the risk to information assets from individuals should be reduced by assessing their risk to the organisation before allowing access to categories of information (e.g. prior to employment, prior to promotion, prior to assignment to a sensitive project).
From 2.4 Individuals are human and 2.9 Risk Assessment and 2.5 Information Protection controls should be introduced e.g. via the contract of employment to limit risk posed by individuals, and to clarify the consequences of inappropriate behaviour. E.g. confidentiality clauses, disciplinary processes etc.
From Common Sense risk can be reduced further by appropriate education and training. E.g. information responsibilities in job descriptions, job specific training, awareness of policy etc.
Staff should have been adequately vetted prior to employment and be trained to understand the risks to information. The organisation must protect itself and its employees and ensure that the employment contract has a suitable confidentiality agreement in force. All staff should have up to date job descriptions that outline their information security responsibilities. An effective disciplinary process must deal with any breaches. If a security breach does occur, or a weakness is identified, then the staff must be trained to deal with it.
5 Physical and environmental security
From 2.5 Information Protection and 2.9 Risk Assessment the risk to information assets should be assessed and appropriate protection provided.
Physical security of the environment within which information is processed must be in place, as well as physical access security to the equipment itself. All equipment, on or off site, must be adequately protected from the time of acquisition to disposal.
6 Computer and network management
From 2.5 Information Protection and 2.9 Risk Assessment the risk to information assets should be assessed and appropriate protection provided.
[Note further work required on 6-10]
Responsibilities and procedures should be documented, so that information is secure from loss, whether on or off site, through hostile processes, data corruption or disclosure. All additions to the information processing environment should go through a formal security management process.
7 System access control
User access to both applications and computer systems (including networked systems) must be managed and controlled and users must be aware of their responsibilities for information use. Systems should be configured only to permit users to access information for which they are authorised. Use of the system should be monitored and logged.
8 System development and maintenance
Any new application developments must be performed in a controlled manner, segregated from the ‘live’ environment and fully tested prior to being loaded onto the live system(s).
9 Business continuity planning
A business continuity plan must be prepared and maintained, to reflect the existing business systems and cover a range of possible scenarios that may interrupt the normal operation of the organisation. It is essential that responsibilities are assigned and that the plan is regularly tested.
10 Compliance
Legislative and regulatory requirements must be addressed including the Data Protection Act (1998), the Computer Misuse Act (1990) and the Copyright, Designs and Patents Act (1988). Conformance with the organisation’s security policy and standards must also be maintained. This is achieved by auditing, either continuously or at regular intervals. Audit tools and audit trails should be adequately protected against misuse or manipulation.
Appendix B Deriving the UK Data Protection Act principles from the axioms
Personal Data must be:
B1 obtained, and used, fairly and lawfully
B2 used only for the purposes specified prior to obtaining it
B3 adequate, relevant, and not excessive
B4 accurate and kept up to date
B5 kept no longer than necessary
B6 managed in accordance with the Data Protection rights of individuals
B7 protected by adequate security measures to prevent unauthorised use, loss or corruption
B8 not transferred to a non-EEC country, unless adequate arrangements exist to protect the data
Appendix C Deriving the OECD Security principles from the axioms
C1 Awareness
From 2.4 Individuals are human, 2.3 The Information World is Complex and Common Sense, risk can be reduced further by appropriate education and training. E.g. information responsibilities in job descriptions, job specific training, awareness of policy etc.
Participants should be aware of the need for security of information systems and networks and what they can do to enhance security
C2 Responsibility
From 2.10 Individual Accountability and 2.6 Top Management Due Diligence, individuals are accountable and it is a management responsibility to ensure individuals are clear what they are accountable for.
All participants are responsible for the security of information systems and networks
C3 Response
[Further work is needed on C3-C9]
Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents
C4 Ethics
Participants should respect the legitimate interests of others
C5 Democracy
The security of information systems and networks should be compatible with essential values of a democratic society
C6 Risk Assessment
Participants should conduct risk assessments
C7 Security Design & Implementation
Participants should incorporate security as an essential element of information systems and networks
C8 Security Management
Participants should adopt a comprehensive approach to security management
C9 Reassessment.
Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.
Appendix D Deriving the Generally Accepted System Security principles (GASSP) from the axioms
D1 Pervasive Principles
D1.1 [GASSP 2.1.1] Accountability Principle
From 2.10 Individual Accountability and 2.6 Top Management Due Diligence, individuals are accountable and it is a management responsibility to ensure individuals are clear what they are accountable for.
Information security accountability and responsibility must be clearly defined and acknowledged.
D1.2 [GASSP 2.1.2] Awareness Principle
From 2.4 Individuals are human, 2.3 The Information World is Complex and Common Sense, risk can be reduced further by appropriate education and training. E.g. information responsibilities in job descriptions, job specific training, awareness of policy etc.
All parties, including but not limited to information owners and information security practitioners, with a need to know should have access to applied or available principles, standards, conventions, or mechanisms for the security of information and information systems, and should be informed of applicable threats to the security of information.
D1.3 [GASSP 2.1.3] Ethics Principle
[Further work is needed on D1.3-D1.9]
Information should be used, and the administration of information security should be executed, in an ethical manner.
D1.4 [GASSP 2.1.4] Multidisciplinary Principle
Principles, standards, conventions, and mechanisms for the security of information and information systems should address the considerations and viewpoints of all interested parties.
D1.5 [GASSP 2.1.5] Proportionality Principle
Information security controls should be proportionate to the risks of modification, denial of use, or disclosure of the information.
D1.6 [GASSP 2.1.6] Integration Principle
Principles, standards, conventions, and mechanisms for the security of information should be coordinated and integrated with each other and with the organization's policies and procedures to create and maintain security throughout an information system.
D1.7 [GASSP 2.1.7] Timeliness Principle
All accountable parties should act in a timely, coordinated manner to prevent or respond to breaches of and threats to the security of information and information systems.
D1.8 [GASSP 2.1.8] Assessment Principle
The risks to information and information systems should be assessed periodically.
D1.9 [GASSP 2.1.9] Equity Principle
Management shall respect the rights and dignity of individuals when setting policy and when selecting, implementing, and enforcing security measures.
D2 Broad Functional Principles
D2.1 [GASSP 2.2.1] Information Security Policy
From 2.1 Information is Valuable and Common Sense, not all information assets will have the same value. From 2.13 Need to Know, individuals in the organisation will need to know the rules governing behaviour towards different types of information assets. It is therefore important to define the policy, standards and guidelines that describe this.
Management shall ensure that policy and supporting standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security. Such guidance must assign responsibility, the level of discretion, and how much risk each individual or organizational entity is authorized to assume.
D2.2 [GASSP 2.2.2] Education and Awareness
From 2.4 Individuals are human, 2.3 The Information World is Complex and Common Sense, risk can be reduced further by appropriate education and training. E.g. information responsibilities in job descriptions, job specific training, awareness of policy etc. From 2.6 Top Management Due Diligence it is a management responsibility to ensure appropriate amounts of time are spent on awareness and education.
Management shall communicate information security policy to all personnel and ensure that all are appropriately aware. Education shall include standards, baselines, procedures, guidelines, responsibilities, related enforcement measures, and consequences of failure to comply.
D2.3 [GASSP 2.2.3] Accountability
From 2.10 Individual Accountability and 2.6 Top Management Due Diligence, individuals are accountable and it is a management responsibility to ensure individuals are clear what they are accountable for.
Management shall hold all parties accountable for their access to and use of information, e.g., additions, modifications, copying and deletions, and supporting Information Technology resources. It must be possible to affix the date, time, and responsibility, to the level of an individual, for all significant events.
D2.4 [GASSP 2.2.4] Information Management
[Further work is needed on D2.4-D2.14]
Management shall routinely catalog and value information assets, and assign levels of sensitivity and criticality. Information, as an asset, must be uniquely identified and responsibility for it assigned.
D2.5 [GASSP 2.2.5] Environmental Management
Management shall consider and compensate for the risks inherent to the internal and external physical environment where information assets and supporting Information Technology resources and assets are stored, transmitted, or used.
D2.6 [GASSP 2.2.6] Personnel Qualifications
Management shall establish and verify the qualifications related to integrity, need-to- know, and technical competence of all parties provided access to information assets or supporting Information Technology resources.
D2.7 [GASSP 2.2.7] System Integrity
Management shall ensure that all properties of systems and applications that are essential to or relied upon to support the organization's mission are established, preserved, and safeguarded.
D2.8 [GASSP 2.2.8] Information Systems Life Cycle
Management shall ensure that security is addressed at all stages of the system life cycle.
D2.9 [GASSP 2.2.9] Access Control
Management shall establish appropriate controls to balance access to information assets and supporting Information Technology resources against the risk.
D2.10 [GASSP 2.2.10] Operational Continuity and Contingency Planning
Management shall plan for and operate Information Technology in such a way as to preserve the continuity of organizational operations.
D2.11 [GASSP 2.2.11] Information Risk Management
Management shall ensure that information security measures are appropriate to the value of the assets and the threats to which they are vulnerable.
D2.12 [GASSP 2.2.12] Network and Infrastructure Security
Management shall consider the potential impact on the shared global infrastructure, e.g., the Internet, public switched networks, and other connected systems when establishing network security measures.
D2.13 [GASSP 2.2.13] Legal, Regulatory, and Contractual Requirements of Information Security
Management shall take steps to be aware of and address all legal, regulatory, and contractual requirements pertaining to information assets.
D2.14 [GASSP 2.2.14] Ethical Practices
Management shall respect the rights and dignity of individuals when setting policy and when selecting, implementing, and enforcing security measures.
Appendix Z Document History
|
Date |
Change |
By |
|
1990-1998 |
Original ideas |
Martin Taylor |
|
8Apr99 |
First paper version |
Martin Taylor |
|
12Apr99 |
First update |
Dale Johnstone |
|
31Aug99 |
First Internet version |
Martin Taylor |
|
7Sep99 |
Minor updates |
Martin Taylor |
|
23Sep00 |
Minor updates. Inclusion of Purpose and Copyright detail. |
Martin Taylor |
|
30Sep00 |
Inclusion of 'Individuals are Human' (credit Neils Nygaard) |
Martin Taylor |
|
6Oct00 |
Inclusion of Separation of Duties and Information Classification |
Martin Taylor |
|
10Oct00 |
Inclusion of document scope |
Martin Taylor |
|
14Dec00 |
Derivation of Threats & Vulnerabilities plus modified descriptions of Complexity & Humanity |
Martin Taylor |
|
6May02 |
Extend Information Classification. Introduce CIO and CIPO, Information Asset Register, ICO, The need for Policy etc., People Section. |
Martin Taylor |
|
25Jun03 |
Rearrange order of principles, add ‘Information can be harmed’ principle. Added appendices to cover OECD Security Principles and GASSP sets. |
Martin Taylor |
|
22Mar04 |
Minor mods to Information is Valuable. Re-worked numbering that had been upset by Word being too clever. |
Martin Taylor |