A – Assets – Something of value requiring protection (hardware, software, data, reputation)
B – Backup – The three most important safeguards – backup, backup, backup
C – Countermeasures and Controls – Prevent, detect, and recover from security incidents
D – DAA and Other Officials – Manage and accept risk and authorize the system to operate
E – Ethics – The body of rules that governs an individual’s behavior.
F – Firewalls and Separation of Duties – Minimize the potential for “incident encroachment”
G – Goals – Confidentiality, Integrity, and Availability (CIA)
H – Hackers/Crackers – Intruders who are threats to any system
I – Individual Accountability/Responsibility – Individuals responsible for their own actions
J – Job Description/Job Function – Defines the individual’s roles within the organization
K – Keys to Incident Prevention – Awareness, compliance, common sense
L – Laws and Regulations – Establish basic control/security objectives
M – Model Framework – Relates training needs to roles and responsibilities
N – Need to Know – Limits access to data, sets objective for ongoing learning
O – Ownership – Establishes responsibility/accountability for asset protection
P – Policies and Procedures – What to accomplish and how to accomplish it
Q – Quality Assurance/Quality Control – Ensure the integrity of the process
R – Risk Management – Balances potential adverse impact against safeguard cost
S – Security Training – The best return on investment of any security safeguard
T – Threats – Are always present, and generally occur when least expected
U – Unique Identifiers – Provide for individual accountability and facilitate access control
V – Vulnerabilities – Security weaknesses through which threats impact the system
W – Waste, Fraud, and Abuse – The three primary impacts of a security incident
X – eXpect the uneXpected – Don’t assume that because something hasn’t happened, it won’t
Y – You – Your actions/inactions are critical to maintaining an effective security environment
Z – Zoning/Compartmentalization – Establish security layers and minimize incident impact
Thirsty for more?
Assets — Assets are something of value that requires protection. The value of an asset may be monetary or non-monetary. For example, a computer system clearly has a monetary value that may be expressed in terms of its cost of acquisition or replacement. Data, however, is an asset that may have a monetary value (the cost to acquire), a non-monetary value (loss of public confidence regarding data accuracy), or both.
Backup — Backup for data and/or processes are critical safeguards in any IT security environment. The concept of backup includes creation and testing of disaster recovery and continuity of operations plans as well as preparation of copies of data files that are stored “out of harm’s way.”
Countermeasures and Controls — Countermeasures, controls, and safeguards are terms that are often used synonymously. They refer to the procedures and techniques used to prevent the occurrence of a security incident, detect when an incident is occurring or has occurred, and provide the capability to respond to or recover from a security incident. A safeguard may be a password for a user identifier, a backup plan that provides for offsite storage of copies of critical files, audit trails that allow association of specific actions to individuals, or any of a number of other technical or procedural techniques. Basically, a safeguard is intended to protect the assets and availability of IT systems.
DAA and Other Officials — Individuals are responsible for allocating resources. Resources may be allocated to address IT security issues or any of a number of other competing organizational needs. The individual who has such authority for a specific IT system may be termed a Designated Accrediting Authority (DAA), Approving Authority, Authorizing Official, Recommending Official, or other titles specific to an organization. Whatever the title, the individual who has the authority to allocate resources is also responsible for balancing risks and costs and accepting any residual risks in making those decisions. The accrediting authorities are often helped in these decisions by certifying authorities who provide assessments of the technical adequacy of the current security environment and recommendations for resolving deficiencies or weaknesses.
Ethics — the body of rules that governs an individual’s behavior. It is a product of that individual’s life experiences and forms a basis for deciding what is right and wrong when making decisions. In today’s environment, ethics are, unfortunately, situational (i.e., an individual’s definition of what is right and wrong changes depending on the nature of a particular situation). For example, an individual may believe that it is wrong to break into someone’s house, but does not think that it is wrong to break into someone’s computer system.
Firewalls and Separation of Duties — Firewalls and separation of duties have similar structures and complementary objectives: a firewall is a technical safeguard that provides separation between activities, systems, or system components so that a security failure or weakness in one is contained and has no impact on other activities or systems (e.g., enforcing separation of the Internet from a Local Area Network). Separation of duties similarly provides separation, but its objective is to ensure that no single individual (acting alone) can compromise an application. In both cases, procedural and technical safeguards are used to enforce a basic security policy that high risk activities should be segregated from low risk activities and that one person should not be able to compromise a system.
Goals — The goals of an IT security program can be summarized in three words: confidentiality – data must be protected against unauthorized disclosure; integrity – IT systems must not permit processes or data to be changed without authorization; and availability authorized access to IT systems must be assured.
Hackers/Crackers — The term “hacker” was originally coined to apply to individuals who focused on learning all they could about IT, often to the exclusion of many other facets of life (including sleeping and eating). A “cracker” is any individual who uses advanced knowledge of networks or the Internet to compromise network security. Typically, when the traditional hacker compromised the security of an IT system, the objective was academic (i.e., a learning exercise), and any resulting damage or destruction was unintentional. Currently, the term hacker is being more widely used to describe any individual who attempts to compromise the security of an IT system, especially those whose intention is to cause disruption or obtain unauthorized access to data. Hacker/cracker activity generally gets high press coverage even though more mundane security incidents caused by unintentional actions of authorized users tend to cause greater disruption and loss.
Individual Accountability/Responsibility — A basic tenet of IT security is that individuals must be accountable for their actions. If this is not followed and enforced, it is not possible to successfully prosecute those who intentionally damage or disrupt systems, or to train those whose actions have unintended adverse effects. The concept of individual accountability drives the need for many security safeguards such as user identifiers, audit trails, and access authorization rules.
Job Description/Job Function — To provide individuals with the training necessary to do their job, and to establish appropriate safeguards to enforce individual accountability, it is necessary to know what functions an individual is authorized to perform (i.e., their role(s) within the organization). Some times this is accomplished using formalized/written job descriptions. In other situations, such assessments are based on analysis of the functions performed.
Keys to Incident Prevention — Many IT security incidents are preventable if individuals incorporate three basic concepts into their day-to-day activities: one, awareness – individuals should be aware of the value of the assets they use to do their job and the nature of associated threats and vulnerabilities; two, compliance – individuals should comply with established safeguards (e.g., scanning diskettes, changing passwords, performing backups); and three, common sense – if something appears too good to be true, it generally is.
Laws and Regulations — Congress has enacted a number of laws (e.g., Privacy Act, Computer Security Act, Computer Fraud and Abuse Act) that establish the basic policy structure for IT security in the Federal government. These laws have been augmented with regulations and guidance regarding their applicability to IT systems. Private industry generally grounds its security policies on the impact on profitability and potential risk of lawsuits, as there are few specific legal requirements. The commonality between Federal and private IT security programs demonstrates that the objectives are the same whether the impetus was a law or the bottom line.
Model Framework — This document presents a model framework for IT security training. The model framework describes individual training needs relative to job function or role within the organization. The model recognizes that an individual’s need for IT security training will change, both in scope and depth, relative to their organizational responsibilities.
Need to Know — Need to Know is addressed from two perspectives: first, a need for access to information to do a job; and second, need to know as a driver for continued learning. In the first case, access to information and processes should be restricted to that which the individual requires to do their job. This approach minimizes the potential for unauthorized activities, and maximizes the potential that the individual knows and understands the nature of the threats and vulnerabilities associated with their use or maintenance of an IT system; and second, given the rate of technological change, individuals need to know the characteristics of those technologies so they may be better able to address specific vulnerabilities.
Ownership — Responsibility for the security of an IT system or asset must be assigned to a single, identifiable entity, and to a single, senior official within that entity. This provides for accountability for security failures and establishment of the chain of command that authorizes access to and use of system assets. This concept of individual responsibility and authority is generally termed ownership or stewardship. The ownership of an asset (particularly data) is generally retained, even when that asset is transferred to another organization. For example, tax data shared with other Federal and state agencies by the Internal Revenue Service must be secured in accordance with the Internal Revenue Code.
Policies and Procedures — IT security safeguards are intended to achieve specific control objectives. These objectives are contained within security policies that should be tailored to the needs of each IT system. Procedures define the technical and procedural safeguards that have been implemented to enforce the specified policies. IT security procedures may be documented in a security plan.
Quality Assurance/Quality Control — Quality Assurance and Quality Control are two processes that are used to ensure the consistency and integrity of security safeguards. Specifically, these processes are intended to ensure that security countermeasures perform as specified, under all workload and operating conditions.
Risk Management — Risk management is the process whereby the threats, vulnerabilities, and potential impacts from security incidents are evaluated against the cost of safeguard implementation. The objective of Risk Management is to ensure that all IT assets are afforded reasonable protection against waste, fraud, abuse, and disruption of operations. Risk Management is growing in importance as the scope of potential threats is growing while available resources are declining.
Security Training — Security training is the sum of the processes used to impart the body of knowledge associated with IT security to those who use, maintain, develop, or manage IT systems. A well trained staff can often compensate for weak technical and procedural safeguards. Security training has been demonstrated to have the greatest return on investment of any technical or procedural IT security safeguard.
Threats — Threats are actions or events (intentional or unintentional) which, if realized, will result in waste, fraud, abuse, or disruption of operations. Threats are always present, and the rate of threat occurrence can not be controlled. IT security safeguards, therefore, must be designed to prevent or minimize any impact on the affected IT system.
Unique Identifiers — A unique identifier is a code or set of codes that provide a positive association between authorities and actions to individuals. Safeguards must be in place to ensure that an identifier is used only by the individual to whom it is assigned.
Vulnerabilities — Vulnerabilities are weaknesses in an IT system’s security environment. Threats may exploit or act through a vulnerability to adversely affect the IT system. Safeguards are used to mitigate or eliminate vulnerabilities.
Waste, Fraud, and Abuse — Waste, fraud, and abuse are potential adverse impacts that may result from a breakdown in IT security. Waste, fraud, and abuse are specifically identified as potential impacts in government-wide policy.
eXpect the uneXpected — IT security safeguards target unauthorized actions. Unauthorized actions (acts by individuals or Acts-of-God) can take many forms and can occur at any time. Thus, security safeguards should be sufficiently flexible to identify and respond to any activity that deviates from a pre-defined set of acceptable actions.
You — You are responsible and will be held accountable for your actions relative to an IT system or its associated data. You can strengthen or weaken an IT security environment by your actions or inactions. For example, you can strengthen an IT environment by changing passwords at appropriate intervals and weaken it by failing to do so.
Zoning/Compartmenting — Zoning/Compartmenting is a concept whereby an application is segmented into independent security environments. A breach of security would require a security failure in two or more zones/compartments before the application is compromised. This layered approach to security can be applied within physical or technical environments associated with an IT system.