IT Security Architecture and Framework

2017-11-03 09:05:01

An IT security architecture and framework is a term used to describe an organization's documented information security policies, standards, procedures, and guidelines. Many organizations, after conducting their first risk and vulnerability assessment, come to the immediate realization that they have put little or no effort into the overall security design of the IT infrastructure and its assets. Many organizations still do not have written information security policies, standards, procedures, and guidelines. This can be a frightening realization because the results of a risk and vulnerability assessment project typically are used as the basis for the organization's follow-up business continuity and disaster recovery plans. Executive management is now faced with tough decisions pertaining to information security priorities identified in the assessment report's findings, assessment, and recommendations section. Tactical and strategic recommendations for risk mitigation and enhancing the level of security in the areas that were identified as missing or inadequate must now be prioritized based on risk and exposures identified.

The final assessment and recommendations report for a risk and vulnerability assessment must spell out specifically what new or updated policies, standards, procedures, and guidelines must be documented and adopted throughout the organization to get the organization in alignment with the defined security controls. Many organizations find themselves with serious gaps or voids in their defined and documented security controls. Because of this, it is critical to define in the final assessment and recommendations report what the organization's goals and objectives are for an IT security architecture and framework.

Goals and Objectives

Each organization is unique, but they all share a common foundation in that they need defined goals and objectives for their own IT security architecture and framework. Following are some common goals and objectives for an IT security architecture and framework that an organization may consider:

To be in compliance with new industry laws, mandates, and regulations that require defined and documented security controls. Properly defined security controls must be documented and implemented throughout the organization, depending upon the requirements of the new law, mandate, or regulation.

To define a minimum level of acceptable risk for the organization in the seven areas of information security responsibility. This minimum level of acceptable risk must be clearly defined so that the proper security controls can be defined for each area and the IT assets that reside in that area of responsibility.

To define a comprehensive suite of information security policies that allows the organization to ensure that the confidentiality, integrity, and availability for the IT infrastructure and IT assets is not compromised.

To demonstrate that information security policies can be used as a powerful proactive tool for running and securing an organization's IT infrastructure and IT assets, thus cost justifying annual funding and support from executive management for information security initiatives.

To align the organization's minimum acceptable level of risk with the organization's information security policies, standards, procedures, and guidelines.

To be relevant to the business issues, business drivers, and priorities of the organization in regard to how information security is to be deployed and managed by the organization.

To be all encompassing for the entire organization with executive management support at the highest level and information security awareness for all employees.

To be easy to read, understand, and implement under the guidance of the IT organization's chief security officer or designated appointee responsible and accountable for the IT security architecture and framework.

Terminology

When describing an IT security architecture and framework, it is important to define the terminology, definitions, and the hierarchy that will be used throughout this chapter. These terms and definitions are common to IT security architectures and frameworks:

Compliance There are two kinds of compliance: legal or regulatory compliance as required by new information security laws, mandates, and regulations; and departmental and employee compliance with an IT organization's IT security architecture and framework.

Exceptions Any exceptions to defined policies, standards, procedures, or guidelines will be listed and described for situations that are beyond the control of the information security organization or beyond the scope of the policy or standards definition.

Guidelines Guidelines are suggested courses of action to be taken in reference to a policy, standard, and procedure.

Procedures A procedure defines instructions for installing, monitoring, auditing, or maintaining a particular information security policy, standard, or technical standard.

Policy An authoritative document supported by executive management that defines how an organization will implement the goals and objectives of the policy in an effort to protect the organization's IT infrastructure and IT assets.

Requirements Requirements are the elements of a standard, whether it is an actionable item or a technical definition or description for how information security hardware, software, or configurations are to be implemented in the IT infrastructure.

Standard A document that defines a common organizational method or approach as an actionable item to a specific policy. A standard represents the elements of a policy that must be followed to ensure the confidentiality, integrity, and availability of the IT infrastructure and its assets.

Technical standard A document that defines configurations and what hardware and software are authorized to connect and operate on the organization's IT infrastructure. A technical standard refers to the use and implementation of specific hardware, software, and/or configurations for information security customer premise equipment (CPE) based on predefined technical requirements that must be adhered to throughout the IT infrastructure.

Defining the Structure and Hierarchy

How an IT organization structures and documents its policies, standards, procedures, and guidelines requires careful analysis and design. Information technology and security personnel responsible for managing and maintaining the IT infrastructure's security must clearly understand the duties, tasks, roles, responsibilities, and accountabilities. One such information security policy structure was defined by the META Security Group, now part of the Gartner Group through acquisition. This information security policy structure is based on the following five foundational elements:

Risk Management Basis Creation of the organization's information security policies is driven by risk management and the mitigation of risks to threats and vulnerabilities. This aligns the IT security architecture and framework to the IT infrastructure's defense-in-depth strategy to combat against threats and vulnerabilities.

Hierarchical Policy Structure A hierarchical structure allows for clear and concise definitions and keeps the policy high-level, where the standards, procedures, and guidelines are more detailed and can define the roles, responsibilities, and accountabilities of IT security professionals and IT staff.

Guideline Definition A guideline provides a framework for how the information security policies and standards are to be implemented throughout the IT infrastructure and organization. These guidelines in turn provide the flexibility and roadmap for how a department within an organization is to implement the policies and standards.

Threat and Vulnerability Policies Risk management must address threats and vulnerabilities through the creation of policies that address these issues directly. Organizations must have specific threat and vulnerability policies to properly combat against the risks that are inherent with IT infrastructures and assets.

Policy Interpretation Policies are not open to interpretation and must be consistent and understood by all departments in an organization. Any discrepancies or exceptions to the IT organization's policies must be reviewed and assessed uniquely by the Change Control Board and in accordance with the organization's Change Management Policy or the Chief Security Officer or equivalent party responsible and accountable for the organization's overall information security.

When creating a structure and hierarchy for an IT security architecture and framework, it is best organized from a risk management perspective because it aligns the policies, standards, procedures, and guidelines specifically to mitigate risk caused by threats and vulnerabilities to the IT infrastructure and its assets. The results of the IT organization's risk assessment will form the foundation for what policies, standards, procedures, and guidelines are needed to ensure the confidentiality, integrity, and availability of the organization's IT infrastructure and assets. The recommended information security architecture and framework should be based on the risk management goals and objectives that are aligned with the organization's business drivers, priorities, and requirements. Risk is a function of threat, vulnerability, and asset value and exists if a threat can exploit an actual vulnerability and adversely impact an IT asset or data asset. It is important to note that risk can never be completely eliminated; however, it can be managed through proper security controls, measures, and frameworks for securing the IT infrastructure and its assets.

The risk management approach to information security involves identifying, assessing, and appropriately mitigating vulnerabilities and threats that can adversely impact the organization's IT infrastructure and assets. This risk management approach for an IT security architecture and framework is depicted in Figure 10.1.

Figure 10.1. Risk management and relationship to threats and vulnerabilities.

Classifying IT Assets

Under this risk management approach, IT assets, threats, and vulnerabilities are juxtaposed so that risk mitigation can be addressed for known threats and vulnerabilities to the IT assets currently owned by the organization. IT assets can be classified, for example, into priorities such as Critical, Major, and Minor. A critical IT asset is the most important to the organization and a minor IT asset is the least important to the organization.

By classifying IT assets, an organization can identify its mission-critical IT assets first and prioritize its information security countermeasures and investments second. This type of prioritization is commonplace in organizations that have a limited budget for information security initiatives or must prioritize the design and deployment of information security controls and security countermeasures because of limited resources and funds.

Classifying Data Assets

Another example of asset classification or categorization is the creation and implementation of a data classification standard. A data classification standard requires an organization to define categories for its information assets, thus creating the need for different levels of security for those data assets throughout the IT infrastructure based on its classification and where it is located in the IT infrastructure. The following is a sample data classification standard that classifies and categorizes requirements for information security for the data itself.

Sample Organizational Data Classification Standard

SECRET: This classification applies to data that is required by law, mandate, statute, or regulation and is sensitive in nature, requiring special precautions to prevent unauthorized viewing. Unauthorized disclosure of this data carries a critical threat to the organization or the owner of the data. Disclosure of data in this category must be made by the data owner in accordance with defined policies as defined by the data owner. Users who use and access SECRET data require the IT infrastructure to have the utmost in information security controls from where the SECRET data is housed, transported through the IT infrastructure, and ultimately where the end user accesses this data.

CONFIDENTIAL: This classification applies to data that is sensitive in nature, which requires special precautions to prevent unauthorized viewing but is not required by law, mandate, statute, or regulation. Unauthorized disclosure of this data carries a major threat to the organization or the owner of the data. Disclosure of data in this category must be made by the data owner in accordance with defined policies as defined by the data owner. Users who use and access CONFIDENTIAL data require the IT infrastructure to have an appropriate level of information security controls from where the CONFIDENTIAL data is housed, transported through the IT infrastructure, and ultimately where the end user accesses this data.

INTERNAL USE: This classification applies to information that is intended for use within the organization only. Although data in this category is not protected by statute, its disclosure could adversely impact the organization, its business partners, and/or its customers. Disclosure of data in this category must be made by the data owner and in accordance with defined policies defined by the data owner. Users who use and access INTERNAL USE data require the IT infrastructure to have an appropriate level of information security controls from where the INTERNAL USE data is housed, transported through the IT infrastructure, and ultimately where the end user accesses this data.

PUBLIC USE: Data in this classification can be disclosed to anyone for any reason without any negative impact to the organization, its business partners, and/or its customers. Users who use and access PUBLIC USE data typically do not require any information security controls to secure or protect this kind of data with the exception of where the PUBLIC USE data is housed and how it is transported through the IT infrastructure before it leaves the organization's IT infrastructure. Examples of PUBLIC USE data include websites and the informational content typically found on nonsecured websites that users can freely access. Access to secured informational content on websites may require end users to fill in personal or privacy information, thus requiring the owner of the website to use web encryption techniques, such as SSL-128 bit encryption, to protect the confidentiality of the end user's privacy information prior to transport over the public Internet.

After a data classification standard is defined for an organization, the appropriate asset protection goals and objectives can be defined in accordance with the different classifications or categories. IT asset protection goals and objectives can then be aligned properly. After these goals and objectives are defined, appropriate levels of information security techniques and technologies can be designed to provide the level of security needed to support the data classification standard. After these information security techniques and technologies are purchased and implemented by the organization, asset management can take place. Management of IT assets and information assets can commence through the creation and implementation of sound asset management procedures and guidelines.

Finally, the creation and deployment of acceptable use policies for the organization's IT assets and information assets can be defined. They should be monitored and managed by the IT organization's information security personnel responsible and accountable for ensuring that its policies, standards, procedures, and guidelines are followed. This risk management approach to mitigating threats and vulnerabilities is depicted in Figure 10.2 and represents a continuous life cycle to properly mitigate risk.

Figure 10.2. Risk management approach to mitigating threats and vulnerabilities.

Hierarchical IT Security Architecture and Framework

By creating and implementing a hierarchical IT security architecture and framework, an organization can align and link policies with the organization's risk management strategy that incorporates standards, technical standards, procedures, and guidelines. Figure 10.3 depicts this hierarchical policy structure that allows for organized and clearly defined goals and objectives so that the organization can implement and enforce them throughout the IT infrastructure. Through the defining of a hierarchical structure, elements at lower levels in the framework are directly linked with the risk management strategy and business objectives of the organization.

Figure 10.3. Hierarchical IT security architecture and framework structure.

This hierarchical IT security architecture and framework structure consists of the following elements:

The organization's IT security architecture and framework must include goals and objectives for securing the IT infrastructure and its assets.

At the highest level, information security policies are required to define what information security goals and objectives are to be addressed and handled by the organization.

In support of the information security policies, standards and technical standards are required that provide for measurable or auditable guidance in each policy area. Note that a policy can have more than one standard associated with it.

For proper implementation, procedures and guidelines are required that describe how to implement the standards and technical standards.

Sample IT Security Architecture and Framework

Information security policies are created to provide a universal definition for how the IT infrastructure and assets must be implemented with solution-specific standards, procedures, and guidelines as defined by the organization. A typical IT security architecture and framework based on risk management includes the following elements at the policy definition level:

Asset Identification and Classification The organization's IT assets and resources must be appropriately documented, labeled, inventoried, and categorized according to the asset identification and classification specifications and parameters defined in each of the referenced standards.

Asset Protection The organization's IT assets must be protected based on the defined standards, procedures, and guidelines to ensure the confidentiality, integrity, and availability of the organization's IT assets and resources.

Asset Management The organization's IT assets must be properly managed with established procedures and guidelines to ensure the confidentiality, integrity, and availability of the organization's IT assets and resources. Asset Management includes Change Control Procedures and Guidelines as defined by the Change Control Board of the organization.

Acceptable Use The organization's acceptable use policies require all employees, contractors, and third parties to read, sign, and comply with the organization's Acceptable Use Policies (AUPs). AUPs are typically drafted to encompass Internet access, Internet etiquette, electronic mail usage, and access to the organization's IT resources, systems, and assets prior to gaining access.

Vulnerability Assessment and Management The organization's IT infrastructure and assets must undergo a vulnerability assessment as per the defined policies of the organization. In addition, management policies must be periodically assessed to properly identify and prioritize technical, organizational, procedural, administrative, or physical security weaknesses to maintain the confidentiality, integrity, and availability of the organization's IT assets.

Threat Assessment and Management Threat assessment and management must be implemented within the seven areas of information security responsibility in an effort to take a proactive role in the monitoring and containment of threats from unauthorized users who access the organization's IT infrastructure and assets.

Security Awareness and Training The organization's employees, contractors, and third parties must participate and take the information security awareness training program to ensure proper understanding of the policies, standards, procedures, and guidelines for the organization.

This risk-management-based IT security architecture and framework is depicted in Figure 10.4.

Figure 10.4. Risk-management-based IT security architecture and framework.

Sample Organizational Data Classification Standard

Категории