Chapter 5: Information Security Maintenance

At the end of the unit, the students should be able to:

 Discuss the need for ongoing maintenance of the information security program
 List the recommended security management models
 Define a model for a full maintenance program
 Identify the key factors involved in monitoring the external and internal environment
 Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security
maintenance
 Explain how to build readiness and review procedures into information security maintenance
 Define digital forensics, and describe the management of the digital forensics function
 Describe the process of acquiring, analyzing, and maintaining potential evidentiary material+
INTRODUCTION
After successfully implementing and testing a new and improved information security profile, an organization may begin feeling
more confident about the level of protection it is providing for its information assets. But it shouldn’t, really. In all likelihood, a
good deal of time has passed since the organization began implementing the changes to the information security program.
In that time, the dynamic aspects of the organization’s environment have, by definition, changed.

Developing a comprehensive list of all the possible dynamic factors in an organization’s environment is beyond the scope of this
text. However, some changes that may affect an organization’s information security environment are the following:
 The acquisition of new assets and the divestiture of old assets
 The emergence of vulnerabilities associated with the new or existing assets
 Shifting business priorities
 The formation of new partnerships
 The dissolution of old partnerships
 The departure of personnel who are trained, educated, and aware of policies,
 procedures, and technologies
 The hiring of personnel

SECURITY MANAGEMENT MAINTENANCE MODELS

To manage and operate the ongoing security program, the information security community must adopt a
management maintenance model. In general, management models are frameworks that structure the tasks of
managing a particular set of activities or business functions.

NIST SP 800-100 Information Security Handbook: A Guide for Managers

NIST SP 800-100 Information Security Handbook: A Guide for Managers provides managerial guidance for the
establishment and implementation of an information security program, in particular regarding the ongoing tasks
expected of an information security manager once the program is operational and day-to-day operations are
established.

The following sections describe the monitoring actions for each of the thirteen information security areas. This
information is adapted from SP 800-100.
1. INFORMATION SECURITY GOVERNANCE. An effective information security governance program
requires constant review. Agencies should monitor the status of their programs to ensure that:
 Ongoing information security activities are providing appropriate support to the agency mission
 Policies and procedures are current and aligned with evolving technologies, if appropriate
 Controls are accomplishing their intended purpose

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
1
Chapter 5: Information Security Maintenance
2. SYSTEM DEVELOPMENT LIFE CYCLE. The system development life cycle (SDLC) is the overall
process of developing, implementing, and retiring information systems through a multistep process—
initiation, analysis, design, implementation, and maintenance to disposal. Each phase of the SDLC includes
a minimum set of information security–related activities required to effectively incorporate security into a
system.

Table 5.1 Information Security Ongoing Activities in the SDLC

3. AWARENESS AND TRAINING. Once the program has been implemented, processes must be put in
place to monitor compliance and effectiveness. An automated tracking system should be designed to capture
key information on program activity (e.g., courses, dates, audience, costs, sources). The tracking system
should capture this data at an agency level, so it can be used to provide enterprise-wide analysis and
reporting regarding awareness, training, and education initiatives.

4. CAPITAL PLANNING AND INVESTMENT CONTROL. Increased competition for limited resources
requires that departments allocate available funding toward their highest-priority information security
investments to afford the organization, and its systems and data, the appropriate degree of security for their
needs. This goal can be achieved through a formal enterprise capital planning and investment control (CPIC)
process designed to facilitate and control the expenditure of agency funds.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
2
Chapter 5: Information Security Maintenance

Figure 5.1 Select-Control-Evaluate Investment Life Cycle

5. INTERCONNECTING SYSTEMS. A system interconnection is defined as the direct connection of two or

more information systems for sharing data and other information resources. Organizations choose to
interconnect their information systems for a variety of reasons based on their organizational needs. For
example, they may interconnect information systems to exchange data, collaborate on joint projects, or
securely store data and backup files.

6. PERFORMANCE MEASURES. A performance measures program provides numerous organizational and

financial benefits to organizations. Organizations can develop information security metrics that measure the
effectiveness of their security program, and provide data to be analyzed and used by program managers and
system owners to isolate problems, justify investment requests, and target funds to the areas in need of
improvement.

Metrics are tools that support decision making. Like experience, external mandates, and strategies, metrics
are one element of a manager’s toolkit for making and substantiating decisions. Metrics are used to answer
three basic questions:
 “Am I implementing the
tasks for which I am
responsible?”
 “How efficiently or
effectively am I
accomplishing those
tasks?”
 “What impact are those
tasks having on the
mission?”

Figure 5.2 Information Security Metrics Development Process

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
3
Chapter 5: Information Security Maintenance

7. SECURITY PLANNING. Planning is one of the most crucial ongoing responsibilities in security
management. Strategic, tactical, and operational plans must be developed that align with and support
organizational and IT plans, goals, and objectives.
8. INFORMATION TECHNOLOGY CONTINGENCY PLANNING. Contingency planning consists of a
process for recovery and documentation of procedures for conducting recovery. Planning, implementing,
and testing the contingency strategy are addressed by six of the seven steps; documenting the plan and
establishing procedures and personnel organization to implement the strategy is the final step.

Figure 5.3 The NIST Seven-Step Contingency Planning Process

9. RISK MANAGEMENT. Risk management, covered in Chapter 4, is an ongoing effort as well. The tasks
of performing risk identification, analysis, and management are a cyclic and fundamental part of continuous
improvement in information security. The principal goal of an organization’s risk management process is to
protect the organization and its ability to perform its mission, not just its information assets.
10. Certification, Accreditation, and Security Assessments. Certification and accreditation for federal
systems is radically changing for those systems designated as non-national security information systems.
However, some organizations need to review their own systems for a certification and/or accreditation to be
in compliance with banking, health care, international, or other regulations.
11. Security Services and Products Acquisition. Information security services and products are essential
elements of an organization’s information security program. Such products are widely available in the
marketplace today and are frequently used by federal agencies. Security products and services should be
selected and used to support the organization’s overall program to manage the design, development, and
maintenance of its information security infrastructure and to protect its mission-critical information.
Agencies should apply risk management principles to aid in the identification and mitigation of risks
associated with the acquisition.
12. Incident Response. Every organization that depends on information systems and networks should identify
and assess the risks to its systems and its information and reduce those risks to an acceptable level. An
important component of this risk management process is the trending analysis of past computer security
incidents and the identification of effective ways to deal with them. A well-defined incident response
capability helps the organization detect incidents rapidly, minimize loss and destruction, identify
weaknesses, and restore IT operations rapidly.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
4
Chapter 5: Information Security Maintenance
13. Configuration (or Change) Management. The purpose of configuration (or change) management (CM) is
to manage the effects of changes or differences in configurations on an information system or network. In
some organizations configuration management is the identification, inventory, and documentation of the
current information systems status—hardware, software, and networking configurations. Change
management is sometimes described as a separate function that only addresses the modifications to this base
configuration. Here, we combine the two concepts to address the current and proposed states of the
information systems and the management of any needed modifications.

Table 2.2 NIST SP 800-53

Configuration Management
Control Family

THE SECURITY MAINTENANCE MODEL

While a management model such as the 27000 series NIST SP 800-100 Information Security Handbook: A Guide
for Managers deals with methods to manage and operate systems, a maintenance model is designed (in ways that
complement the chosen management model) to focus organizational effort on maintaining systems. An approach that
is recommended by this text for dealing with change caused by information security maintenance is presented in
Figure 12-10. This figure diagrams a full maintenance program and serves as a framework for the discussion that
follows.
The recommended maintenance model is based on five subject areas or domains:

 External monitoring
 Internal monitoring
 Planning and risk assessment
 Vulnerability assessment and remediation
 Readiness and review

MONITORING THE EXTERNAL ENVIRONMENT

IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
5
Chapter 5: Information Security Maintenance

Figure 5.4 The Maintenance Model

The objective of the external monitoring domain within the maintenance model is to provide the early awareness
of new and emerging threats, threat agents, vulnerabilities, and attacks that the organization needs in order to mount
an effective and timely defense. Figure 5.4 shows the primary components of the external monitoring process.

External monitoring entails collecting intelligence from various data sources and then giving that intelligence
context and meaning for use by decision makers within the organization.

a. Data Sources. Acquiring data about threats, threat agents, vulnerabilities, and attacks is not difficult. There
are many sources of raw intelligence and relatively few costs associated with gathering the intelligence.

External intelligence can come from three classes of sources:

 Vendors: When an organization uses specific software products as part of its information security
program, the vendor often provides either direct support or indirect tools that allow user communities to
support each other. This support often includes intelligence on emerging threats.
 CERT organizations: Computer emergency response teams (CERTs) exist in varying forms around the
world. Often, US-CERT (www.us-cert.gov) is viewed as the definitive authority.
 Public network sources: Many publicly accessible information sources, both mailing lists and Web sites,
are freely available to those organizations and individuals who have the time and expertise to make use of
them.

b. Monitoring, Escalation, and Incident Response. The basic function of the external monitoring process is
to monitor activity, report results, and escalate warnings. The optimum approach for escalation is based on a
thorough integration of the monitoring process into the IRP.

c. Data Collection and Management. Over time, the external monitoring processes should capture
information about the external environment in a format that can be referenced both across the organization
as threats emerge and for historical use.

MONITORING THE INTERNAL ENVIRONMENT

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
6
Chapter 5: Information Security Maintenance
The primary goal of the internal monitoring domain is to maintain an informed awareness of the state of all of the
organization’s networks, information systems, and information security defenses. This awareness must be
communicated and documented, especially for components that are exposed to the external network. Internal
monitoring is accomplished by:
 Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and
information security infrastructure elements.
 Leading the IT governance process within the organization to integrate the inevitable changes found in all network, IT,
and information security programs.
 Monitoring IT activity in real-time using IDPSs to detect and initiate responses to specific actions or trends of events
that introduce risk to the organization’s information assets.
 Monitoring the internal state of the organization’s networks and systems. This recursive review of the network and
system devices that are online at any given moment and of any changes to the services offered on the network is
needed to maintain awareness of new and emerging threats. This can be accomplished through automated difference-
detection methods that identify variances introduced to the network or system hardware and software.

PLANNING AND RISK ASSESSMENT

As described in the previous section on the security management maintenance model, the primary objective of the
planning and risk assessment domain is to keep a lookout over the entire information security program, in part by
identifying and planning ongoing information security activities that further reduce risk. Also, the risk assessment
group identifies and documents risks introduced by both IT projects and information security projects. It also
identifies and documents risks that may be latent in the present environment. The primary objectives of this domain
are:
 Establishing a formal information security program review process that complements and supports both the
IT planning process and strategic planning processes
 Instituting formal project identification, selection, planning, and management processes for information
security follow-up activities that augment the current information security program
 Coordinating with IT project teams to introduce risk assessment and review for all IT projects, so that risks
introduced by the launching of IT projects are identified, documented, and factored into decisions about the
projects.
 Integrating a mindset of risk assessment across the organization to encourage other departments to perform
risk assessment activities when any technology system is implemented or modified

VULNERABILITY ASSESSMENT AND REMEDIATION

The primary goal of the vulnerability assessment and remediation domain is to identify specific, documented
vulnerabilities and remediate them in a timely fashion. This is accomplished by:
 Using documented vulnerability assessment procedures to collect intelligence about networks (internal and
public-facing), platforms (servers, desktops, and process control), dial-in modems, and wireless network
systems safely
 Documenting background information and providing tested remediation procedures for the reported
vulnerabilities
 Tracking vulnerabilities from when they are identified until they are remediated or the risk of loss has been
accepted by an authorized member of management
 Communicating vulnerability information including an estimate of the risk and detailed remediation plans to
the owners of the vulnerable systems
 Reporting on the status of vulnerabilities that have been identified
 Ensuring that the proper level of management is involved in the decision to accept the risk of loss associated
with unrepaired vulnerabilities

The process of identifying and documenting specific and provable flaws in the organization’s information asset
environment is called vulnerability assessment (VA).
IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
7
Chapter 5: Information Security Maintenance

READINESS AND REVIEW

The primary goal of the readiness and review domain is to keep the information security program functioning as
designed and to keep it continuously improving over time. This is accomplished by the following:
 Policy review: Policy needs to be reviewed and refreshed from time to time to ensure that it’s sound—in
other words, that it provides a current foundation for the information security program.
 Program review: Major planning components should be reviewed on a periodic basis to ensure that they
are current, accurate, and appropriate.
 Rehearsals: When possible, major plan elements should be rehearsed.

DIGITAL FORENSICS
Digital forensics is based on the field of traditional forensics. Forensics is the coherent application of methodical
investigatory techniques to present evidence of crimes in a court or court-like setting.

Digital forensics involves the preservation, identification, extraction, documentation, and interpretation of computer
media for evidentiary and/or root cause analysis. Like traditional forensics, it follows clear, well-defined
methodologies, but still tends to be as much art as science.

The Digital Forensics Team

Most organization cannot sustain a permanent digital forensics team. In most organizations, such expertise is so
rarely called upon that it may be better to collect the data and then outsource the analysis component to a regional
expert.

Affidavits and Search Warrants

Most investigations begin with an allegation or an indication of an incident. Whether via the help desk, the
organization’s sexual harassment reporting channels, or direct report, someone makes an allegation that another
worker is performing actions explicitly prohibited by the organization or that make another worker uncomfortable in
the workplace.

An affidavit is sworn testimony that certain facts are in the possession of the investigating officer that they feel
warrant the examination of specific items located at a specific place. The facts, the items, and the place must be
specified in this document.

When an approving authority signs the affidavit or creates a synopsis form based on this document, it becomes a
search warrant, or permission to search for EM at the specified location and/or to seize items to return to the
investigator’s lab for examination.

Digital Forensics Methodology

In digital forensics, all investigations follow the same basic methodology:
1. Identify relevant items of evidentiary value (EM)
2. Acquire (seize) the evidence without alteration or damage
3. Take steps to assure that the evidence is at every step verifiably
authentic and is unchanged from the time it was seized
4. Analyze the data without risking modification or unauthorized
access
5. Report the findings to the proper authority

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
8
Chapter 5: Information Security Maintenance

Figure 5.6 Evidence Form Used in Digital Forensics Figure 5.7 Affidavit and Search Warrant

Evidentiary Procedures
In information security, most operations focus on policies—those documents which provide managerial guidance for
ongoing implementation and operations. In digital forensics, however, the focus is on procedures. When
investigating digital malfeasance or performing root cause analysis, keep in mind that the results and methods of the
investigation may end up in criminal or civil court.

Organizations should develop specific procedures, along with guidance on the use of these procedures. The policy
document should specify the following:
 Who may conduct an investigation
 Who may authorized an investigation
 What affidavit-related documents are required
 What search warrant-related documents are required
 What digital media may be seized or taken offline
 What methodology should be followed
 What methods are required for chain of custody or chain of evidence
 What format the final report should take and to whom it should it be given

ACTIVITIES
IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
9
Chapter 5: Information Security Maintenance

INSTRUCTIONS. Answer the following activities in the provided answer sheet.

ACTIVITY 1. Review Questions

1. List and define the factors that are likely to shift in an organization’s information security environment.
2. What does CERT stand for? Is there more than one CERT? What is the purpose of a CERT?
3. What is digital forensics, and when is it used in a business setting?

ACTIVITY 2.
Search the Web for two or more sites that discuss the ongoing responsibilities of the security manager.
What other components of security management, as outlined by this model, can be adapted for use in the
security management model?

Activity 1

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
10
Chapter 5: Information Security Maintenance
1. List and define the factors that are likely to shift in an organization’s information security environment.

2. What does CERT stand for? Is there more than one CERT? What is the purpose of a CERT?

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
11
Chapter 5: Information Security Maintenance

3. What is digital forensics, and when is it used in a business setting?

Activity 2

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
12