Week 4

September 25, 2015

Contingency Planning…..Do you have Good Plan “B”?

Most of the business like to have events take place routinely without to many changes, variations or problems, but do you think that happens in your real practice? Events don’t always go routinely as planned. The entire incident and its outcome differ according to the set of circumstances, which varies every time. A contingency plan is designed to help organization respond effectively to a significant future events, or situation that may or may not happen.

So, risk management concept emerged as a part of Contingency planning, which provides a dynamic attribute to the event and circumstances. Risk management helps to reduce uncertainty, preserve assets, and identify risk to achieve organizations mission. But it seems like organization always omits the important factor on their plan, “What If?” This two critical words are the essence of risk management and provide a different perspective to Plan A. What if your Plan A does not work as planned?  So, it is important to understand that risk management practice provides the foundation for plan A and your Contingency plan provides the platform for “Plan B”.

During the various practices, risk management realized that different risk situations require different level of response and different approach to deal the situation. As a result, organizations emerged with emergency plans, crisis management plans, and disaster plans.

Emergency plan deals with contingencies, which may occur or may not, so policies and procedures to reduce, prevent, and control risk need to mentioned as the Plan A. so, Emergency Plan, or Plan B emerges to respond to situations, if Plan A doesn’t go as planned accordingly. 

A crisis occurs when the threat is not eliminated by the emergency plan and some impact occurs. As risk management and contingency plans focus on the control and manage risk per-loss, crisis management engages in controlling and managing risks post-loss. So crisis management plan will help organization to plan for after math event and will be an effective tool to find out answers for what do you do now?

Lets see a latest disaster of example California wild fire. The emergency plan came to action as fire started and the crisis begins as the people started suffer financially and emotionally with the loss of their property and loved ones, which was the evident of disaster affecting hundreds of houses and thousands of acres of land and forest. So how would you manage under such circumstances?

And it is true, as the things changes the risk factors starts threatening your organizations, which automatically trigger your emergency plan, crisis plan, and disaster plan as an essential for your Contingency plan or Plan B.  So, it is important to think about Plan B as it is like Plan A, because your Plan B has a critical role to your recovery as plan A. So, do your organization has a Plan B in place? When was the last time your organization have reviewed your emergency, crisis management, and disaster plans? Its never too late to start thinking about it and planning for your Plan B. Your small effort of thought “What if” could help to deal with uncanny situations in future.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition

Schirick. ED, 2003, “Risk Management: Contingency Planning- The Art of

Dealing Plan B”, Published in the 2003 January/February issue of Camping Magazine, Retrieved from: http://www.acacamps.org/content/risk-management-contingency-planning-art-developing-plan-b

Andrushko. Veer Galyna. “Contingency Planning –Developing a Good Plan B”,

Published on MindTools.com, Retrieved from: https://www.mindtools.com/pages/article/newLDR_51.htm

Guidelines on Security and Privacy in Public Cloud Computing

September 20, 2015

Week 3

Guidelines on Security and Privacy in Public Cloud Computing

NIST SP 800-144 provides an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, application and infrastructure to a public cloud environment. The document provides insights on threats, technology risks and safeguards related to public cloud environments to help organizations make informed decisions about this use of this technology.

Cloud system works with two parties, one is service provider and the other is subscriber. Those two parties come together and they have their own expectation, so it is important to understand, where they are coming from, what their goals are, and in case the relationship doesn’t work than business need an exit strategy. So NIST’s SP 800 documented to help organizations with some of the expectations that they must between the client and cloud provider.

Here are few recommended guidelines of successful implementation of cloud solutions from NIST’s SP 800-144 for best practice to establish secure and privacy challenges for cloud computing, threats, and risk:

Carefully plan the security and privacy aspects of cloud computing solutions before engaging them:

Organizations need to set up clear security objectives when planning for outsourcing. Organizations need to plan security based on the sensitivity of the data. Establish a clear understanding of what is the intention of provider?  Are they compliance with all relevant organizational policies and that privacy is maintained? How do they handle your customer’s data? Are they serious about the relationship? Did you take a risk-based approach in analyzing available security and privacy options and deciding about placing organizational functions into a cloud environment?

Understand the public cloud-computing environment offered by the cloud provider:

Are those service model presented by cloud provider is compliance with your organization’s privacy and security model? If they are certified and compliance, will they be ready to allow to verify their privacy and security by independent assessment by your organization? Does the provider assure to support security or privacy claims?

It is important to know detail about provider’s system architecture of a cloud, this will help your organization and provider to assess and manage risk accurately, also to mitigate risk by using appropriate techniques and procedures for the regular monitoring of security state of the system. So, SP 800-144 clearly provides framework and guideline for those considerations to help both parties to achieve and share same organization goal.

Ensuring that a cloud computing solution satisfies organizational security and privacy requirements:

For some of the organization, public cloud might not be the best fit, what they could offer might not match your organization’s security and privacy needs. So your organization might need a private cloud because of risk perspective, and plausible threats your organization could have to face in future. Some public cloud service provider might implement non-negotiable service agreements, so make sure you have some negotiable service agreement on the place for safe exit strategy, if the service provider does not fit for your need. SP 800-144 provides guidelines for both parties to be compliance of Federal Information Processing Standard 140, which is a negotiable agreement that documents the assurances the cloud provider must furnish to corroborate that organizational requirements are being met.

Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing:

Client-side may access to cloud via web browsers; lightweight PC/mobile applications to access, these various plug-ins, and extension for web browsers could cause security threats, because many browser add-ons may not provide automatic update, which could increase vulnerability. As the growing trend of mobile apps, social media, personal Webmail and other public sites are easy target for social engineering attacks, which could provide security threats to the client. So, it is important to monitor cloud computing security architecture, existing security and privacy measures and employ additional measures, if necessary, to secure the client side. Just think, remote access could cause security risk, so is it safe to provide all your information to them?

Maintain accountability over the privacy ad security of data and applications implemented and developed in public cloud computing environments:

Is our cloud provider maintaining a secure cloud computing solution by providing regular monitoring its security and privacy practice? Does they monitor organization’s information assets and assessing the implementation of policies, standards, procedures, controls, and guidelines to establish and preserve the confidentiality, integrity, and availability of information system resources? So, SP 800-144 provides both client and provider a guideline to monitor security of the organization’s networks, information, and systems, and risk mitigation.

Most of the time significant portion of computing environment are under the cloud provider and beyond the clients reach. So, organizations need to ensure that security and privacy are implemented correctly, operates as intended, and meet organizational requirements.

Conclusion:

The main purpose NIST’s SP 800-144 is to provide an overview of public cloud computing and the security and privacy challenges involved. This document also provides a collective approach and some insight of threats, technology risks, and safeguards for public cloud environments. So this document provide a in-depth analysis and valuable suggestions to organization to make their own decision based on own analysis of their need, and assess, select, engage, and oversee the public cloud service that can best fulfill those needs.

References

Jansen. Wayne, Grance. Timothy, December 2011 “Guidelines on Security and

Privacy in Public Cloud Computing”, Published on NIST Special Publication 800-144, Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

Banks. Erin K., (February 2012) “NIST SP800-144 Guidelines on Security and Privacy Public Cloud Computing – A Relationship Manual”, Published on EMC.com, Retrieved From: http://publicsectorblog.emc.com/erin_banks/nist-sp800-144-guidelines-on-security-and-privacy-in-public-cloud-computing-a-relationship-manual/

Brown. Evelyn, “NIST Issues Cloud Computing Guidelines for Managing Security and Privacy” Published on Information Technology Laboratory on January 2012. Retrieved From: http://www.nist.gov/itl/csd/cloud-012412.cfm

Week 2

Risk management and project management of hand in hand.

Managing a project never been easy when it comes to risk management. All the team player as well as leaders need to have a clear understanding of the issue, and goal of the organization, which will further provides the guideline. Risk management team might found themselves always dealing with the uncertainty, and unexpected events throughout the Project life cycle, which have positive (“opportunities”), or a negative impact on a project’s objective.

Every organization usually has a comprehensive guidelines and detail procedure for risk management, which are stated during the strategic planning. As far as the managing the risk, the project management institute has provided a comprehensive process to managing project risk:

-       Plan risk management

-       Identify risks

-       Perform qualitative risk analysis

-       Perform quantitative risk analysis

-       Plan risk responses

-       Monitor and control risks.

I completely agree with the article, and his considerations for risk management:

-       Risk management does affect the budget, schedule, scope, quality, communications and stakeholder engagement, as well as the success of the project’s output is implemented.

-       Risks can be positive (could create opportunity) and negative (if issues or attack happens)

-       So careful strategic planning for risks will help team to avoid the issues and prevent from negative impact as well as maximize the positive impact or risk.

-       Risk management should be prioritize from the initial stage of the project and constantly discussed as well as monitored, and involved all the team members throughout the project life cycle.

-       Skill of risk management could influence stakeholder’s appetite for risk.

like in the article mentioned, “Risk management is project manager’s friend if done well”. There is always a case of encountering unknown risk from unknown source and could cause unknown trouble, so assessing reasonable risks from the initial stage of project and actively managed throughout the life cycle of project will certainly influence the project’s positive outcome and successful implementation of project.

Reference:

Hamilton, Gary. Byatt, Gareth. Hodgkinson, Jeff (03 May, 2011),  “Risk management and project management go hand in hand”. Published on CIO.com, Retrieved From: http://www.cio.com.au/article/print/385084/risk_management_project_management_go_hand_hand/

McCumber Cube to Model Network Defense

Week -1
McCumber Cube and Extended Version.

This week we focused on McCumber Cube model for Information Security (InfoSec). InfoSec is referred as the protection of information and its critical characteristics: confidentiality, integrity, and availability. McCumber Cube is a three-dimensional view of information characteristics, information location, and security control categories designed serves as the many standard of InfoSec with the extended version of core characteristics: confidentiality, integrity, and availability. The three dimension of McCumber Cube model represents information characteristics, information location, and information security. Furthermore, the cube represents 3x3x3 with 27 cells wits its subdivision as shown in figure 1.

Figure 1 , Source: http://blog.rsystems.com/wp-content/uploads/2014/07/mccumber-cube.jpg

The basic concept of this three-dimensional is to address to secure information, and to achieve desired security goals of the InfoSec each cell must be addressed. 

This graphical representation of security model helps to understand the most Complex issue as well as provides deeper understanding of the relationships of each component and way to model risk management. Each view of the cube represents different perspective such as: information characteristics which addresses three fundamental aspects processing, storage, and transmission: information location which addresses technology, people, and policies and practices: where as security control addresses confidentiality, integrity, and availability. This model provides platform to practitioners to select desired security service and circumstances. For example: integrity, storage, and technology: confidentiality, transmission, and policy and practice: confidentiality, processing, and policy and practice.

According to the writer Sean M. Price on his Journal “Extending the McCumber Cube to Model Network Defense”, he mentioned that to address the contemporary security issues practitioners need to see the Cube model with minimization view for the particular situation and particular security service. Practitioners need to adopt risk-based approach and analyze the appropriateness and completeness of the countermeasures to match the each attacks against the system. Here are some examples presented by writer Sean M. Price on his Journal:

Figure 2, Proposed Extension to McCumber Cube (Source: Price, 2008)

Figure 3, Confidentiality Mode Extension (Source: Price, 2008)

Figure 4, Integrity Model Extension (Source: Price, 2008)

Figure 5, Availability Mode extension (Source: Price, 2008)

On these above diagram Mr Price presented different states with the colors such as, the attack vector as red, information state as green, counter measures as orange, and security goal is on blue.

To enforce the InfoSec, practitioners need to focus on the situation based issues rather than just relying on one model for practice. So, The extended version of Cube presented by Mr. Price helps to understand clearly to situation and necessary measures need to be considered to address the threats and issues on our practice. Certainly, there are valid arguments behind this McCumber Cube’s extended model to address security services, countermeasures and specific attacks. This will provide different perspective to look at risk management and identify the respective countermeasures from all dimensions.

Reference:

1.    Michael E. Whitman and Herbert J. Mattord, “ Management of Information Security”, Published by Cengage Learning, Fourth Edition

2.    Sean M. Price, “Extending the McCumber Cube to Model Network Defense”. Published on ISSA Journal on September 2008. Retrieved from: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538926-dt-content-rid-10132349_2/courses/CIS608-T303_2161_1/mccumber%20article.pdf

Hello everyone, I am Sachin Shrestha, I am a student of Management of Information Security at Bellevue university.

This blog is specially designed to fulfill the course requirement of MIS 608 information security management course. During my course time, this blog will be focused on different aspects of information system management, information security, risk, vulnerability, and policy & practice.

This blog will also focus on different ethical aspects of information security.

Sachin Shrestha