Sample Master's Thesis: Chapter 2 - Information Security Governance and Practices
Published: January 20, 2012
Revised: January 23, 2012
Delivering policies that enhance the organization’sinformation security posture with regard to confidentiality, integrity, and availability could be very restrictive in nature. Some may argue that the formation of such policies would deter innovation. The information security governance of the organization combined with the organizational culture may, however, promote innovation when applied correctly.
"People think of governance as something very constraining and resourcefulness as something innovative, but in fact, governance is a core component of resourcefulness," says Howard Rubin, executive vice president at Meta Group. "It’s hard to foster resourcefulness without governance." In other words, a solid governance structure promotes resourceful thinking within an organization. (Dragoon, 2003)
Information security governance and practices at Dayton College highlight some key concepts defined by Dragoon (2003), these concepts comprise the following:
Dayton College operates on a tight budget. Information security projects must demonstrate value to the organization, just like all other IT projects. Projects that provide little or no return on investment are discontinued.
History shows that most IT project failures can be traced back to poor planning. Good planning begins with a formal project proposal that defines the project’s scope and cost. Dayton College requires formal project proposals before projects are approved and project plans must be developed before any work on a project begins.
New resources are only procured when no existing equipment fits a requirement. The Virtual IT Lab Project demonstrates this concept by leveraging computers donated by other departments and re-provisioning a computer to act as a router and firewall, thus lowering implementation costs.
Projects must be completed while the project goals are still relevant to the organization’s business requirements. Dividing projects into smaller manageable chunks ensures timely completion of project deliverables while those deliverables still fit in with the organization’s strategic goals. The timeline for the Virtual IT Lab Project is short so the college will experience beneficial results almost immediately.
Systems can be built that are very usable but not secure or very secure but not usable. The proper mix between security and usability must be maintained. The goal of information security governance at Dayton College is to gain voluntary compliance of security measures and controls from users, students and staff alike. Measures that will persuade users to circumvent the system are to be avoided. The move to a virtual lab environment should not be viewed as an extreme measure when viewed in the context that students will not notice the difference between a virtual environment and a production network as long as their activities remain consistent with the purpose for being in the lab.
Good governance can also shape that environment to a certain extent. According to Meta Group’s Rubin, governance should set boundaries but not mandate the use of this technology or that. Instead of establishing governance practices that focus on constraining and setting limits, Rubin says, organizations should set policies that feed innovation and resourcefulness. (Dragoon, 2003).
Control mechanisms are necessary to protect the organization and demonstrate that the guidelines of following due diligence and due care are followed. The concerns of Information Security are to ensure that the information security qualities of confidentiality, integrity, and availability are maintained at acceptable levels. To this end, control mechanisms are put in place to maintain those qualities.
The International Standards Organization has developed a set of controls that are directed toward various aspects of Information Security. Applied to this project, the most relevant guidelines are contained in the summary of the objectives of the seventh section of ISO 17799 which include the following:
- Ensure the secure operation of information processing facilities
- Minimize the risk of systems failures
- Protect the integrity of information and software
- Maintain the availability and integrity of information and processing facilities
- Ensure the protection of information in networks and of the supporting infrastructure
- Prevent unauthorized disclosure, modification, removal or destruction of assets.
- Prevent unauthorized disruption of business activities.
- Detect unauthorized information processing activities
(ISO 17799 Portol, 2007)
To this end, controls are divided into three organization categories; which include technical controls, physical controls, and administrative controls.
Authentication controls are lacking in the student domain of the network. A single username/password combination is used; which is equivalent to not controlling access to the network. Logging and monitoring activities are ineffective because individuals are not identified as part of the authentication process. The reasoning for the lax control mechanism is that the college only employs a single network administrator and management feels that reducing the workload is more important than securing the student domain of the network.
While protections on the student domain lack effectiveness, the college’s production domain is adequately protected. Access control is tight, system desktops are locked down, and the college employs a strong password policy. The purpose for these controls is to protect the sensitive information for which the college is responsible.
Physical controls to regulate access to equipment are in place at the college. All lecture rooms and computer labs are maintained in a lock-down status when not occupied by an instructor. Only the network administrator has access to the server room; which houses the servers and network distribution equipment. Video surveillance is in place to help alert security personnel when unauthorized individuals enter critical areas.
The college employs a strict change-management policy. Any change to the production environment requires a project plan to include test results that indicate the effect on existing systems in the test environment and a back-out plan to mediate a change that does not go as planned.
The college is beginning to issue uniforms to students and instructors so they are easily identifiable; individuals not wearing a uniform will stand out and the purpose of their presence can then be investigated. ID cards are issued to staff and students. Lanyards have been issued and a directive that the ID cards be displayed as badges has been issued.
Emerging threats, as addressed by this project, result from unrestricted student access to the Internet. While in the existing computer labs, many of the students view idle time as an opportunity to surf the web and visit social networking sites. These visits have resulted in incidents involving downloading inappropriate content and infecting a number of workstations with Trojans. This type of activity enables three significant emerging threats to the security of information assets at the college. These threats include the following:
Firewall controls are in place to limit student Internet access; however, some students explore the non-blocked address space and discover proxy sites to use for their web-surfing activities. These proxy sites are then used to bypass existing security controls so a participating student is free to visit the sites of their choice regardless of firewall settings.
Malware is software that delivers damaging or malicious content to an unsuspecting user’s computer and continues as an emerging threat. Malware is one of the main components of botnet creation.
First there were viruses - malicious code that did something on a computer that the user did not initiate or want. Next there were worms, viruses that could spread themselves using email or by exploiting network or application vulnerabilities. …What could be worse? What if the originator of the worm could retain control of each infected PC? What if the author of the virus no longer wanted the spotlight? What if the purpose of the worm were to make money and not just to disrupt computers? These what-ifs are no longer speculation; they describe the current nature of botnets. (Schiller, 2007)
Cyber crime is a phrase coined to describe crimes that take advantage of computers as tools and the Internet as a delivery mechanism. Cyber criminals are well trained and sometimes organized into international groups as reported by the Georgia Institute of Technology (2008). Their motivation is money and the tools they use readily available online. Some sites permit visitors to rent a portion of a botnet and take control of a specific number of zombie computers for a fixed fee.
Exclusive control over a single zombie can sell for as little as 10 cents! In 2004, Botnets are well used by both hackers and spammers. Trojan software is often tailored to spamming, and some hackers even offer a “renting” alternative to spammers for less cost than buying the Botnet. (Spammer-X, 2004)
Countermeasures to curtail the emerging threats involve providing an isolated environment in the virtual IT lab and not permitting access to the public Internet by students. A dedicated connection to the Internet would be used by faculty members only and would be used to download software updates and software drivers for the operating system platforms. These updates and drivers would then be placed on a web-server within the virtual IT Lab environment for the students to access. A firewall will be placed on the dedicated Internet connection and firewall rules will be implemented to only permit Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Domain Name Services (DNS) traffic to approved sites. All administration of the firewall will be performed using secure means from an instructor PC in the virtual environment that will not be accessible by students.
Anti spyware software is installed and updated on all computers in the college’s production domains. This practice will continue in the Virtual IT Lab but updates will be directly downloaded to the lab’s web server. This practice will prevent a cross connection between the lab and production environments.
An added benefit of the Virtual IT Lab environment will be to provide the capability to identify new emerging threats in a controlled environment. Scenarios designed for the lab will include a packet analysis to aid students in network troubleshooting and the security analysis of network traffic. Results from experiments in the lab and monitoring the connection to the internet may provide evidence of new external threats. These added threats may then be analyzed for severity and mitigation activities developed to respond to the new threats.
Accrediting Commission of Career Schools and Colleges. (2010). The Accreditation Process.Available from http://www.accsc.org
Broadstairs, K. (2000). 01-2-2 Quantifying Risk. In K. Broadstairs, R. King, & D. O'Conor (Eds.), Risk Management (p. 39). GBR: Scitech Educational.
Dragoon, A. (2003). Governance: Deciding factors. CIO. Retrieved February 18, 2010 from http://www.cio.com/article/29619/Governance_Deciding_Factors?page=1
Eckert, J. W., & Schitka, M. J. (2006). The hacker culture. Linux+ Guide to Linux Certification (2nd Ed.) (pp. 17-18). Boston, MA: Course Technology
GAO. (1998). Executive guide: Information security management--learning from leading organizations: AIMD-98-68. GAO Reports, 1., Government Accounting Office
Georgia Institute of Technoloogy. (2008). Emerging cyber threats for 2009. CU360 , 34 (21), 4-5.
ISO 17799 Portol. (2007). What is ISO 17799? Available from http://17799.denialinfo.com/index.htm
Moteff, J. (2004). Computer Security: A Summary of Selected Federal Laws, ExecutiveOrders,and Presidential Directives. Library of Congress, Congressional Research Service
Panel on Confidentiality Issues Arising from the Integration of Remotely Sensed and SelfIdentifying, & National Research Council. (2007). Putting people on the map: Protecting Confidentiality with linked social-spatial data. Washington, DC: National Academies Press.
Rainer, R., Snyder, C., & Carr, H. (1991). Risk Analysis for information technology. Journal of Management Information Systems , 8 (1), 134-135.
Schiller, C. (2007). Botnets. Network and Systems Professionals Association. Available from http://www.naspa.com/
Schniederjans, ,. M. (2004). Information Technology: Decision-Making Methodology (p. 140).Singapore: World Scientific Publishing Company.
Spammer-X. (2004). Inside the SPAM Cartel: Trade Secrets from the Dark Side. Rockland, MA: Syngress Publishing
Treviano, L. K., & Weaver, G. R. (2003). Managing Ethics in Organizations : A Social ScientificPerspective on Business Ethics. Palo Alto, CA: Stanford University Press.
U.S. Senate. (2009). Safe Internet act: S 1047 IS. Library of Congress.