ECI NOC Admin School Course Outline-1

CONTENTS

MANAGEMENT’S RESPONSIBILITY

Management’s Role in Computer Security

Policies, Standards, and Procedures

Information Security Risk Management

Employment Policies and Practices

Legal Issues in Computer Security

Computer Crime and Computer Criminals

BASIC SAFEGUARDS

Contingency Planning and Disaster Recovery

Computer Risks and Insurance

Auditing Computer Security

System Application Controls

PHYSICAL PROTECTION

Hardware Elements of Security

Computer Facility Protection

Monitoring and Related Control Devices

TECHNICAL PROTECTION

Software and Information Security

Security of Computer Data, Records, and Forms

Data Encryption

Data Communications and Networking

Penetrating Computer Systems and Networks

Viruses and Related Threats to Computer Security

SPECIAL PROTECTION ISSUES

Outside Services

Security for Personal Computers

Local Area Network Security

Security on the Internet

• Access Control Systems and Methodologies
  1. Access control concepts, methodologies, and implementation
  2. Access controls: detective, corrective, and preventative
  3. Access control techniques in centralized and decentralized environments
  4. Access control risks, vulnerabilities, and exposures

• Security Architecture and Models
  1. Secure operating system principles, concepts, mechanisms, controls, and standards
  2. Secure architecture design, modeling, and protection
  3. Security models: confidentiality, integrity, and information flow
  4. Government and commercial security requirements
  5. Common criteria, ITSEC, TCSEC, IETF, IPSEC
  6. Technical platforms
  7. System security preventative, detective, and corrective measures

• Disaster Recovery and Business Continuity Planning
  1. Business continuity planning, business impact analysis, recovery strategies, recovery plan development, and implementation
  2. Disaster recovery planning, implementation, and restoration
  3. Compare and contrast disaster recovery and business continuity

• Security Management Practices
  1. Organizational security roles
  2. Identification of information assets
  3. Security management planning
  4. Security policy development; use of guidelines, standards, and procedures
  5. Security awareness training
  6. Data classification and marking
  7. Employment agreements and practices
  8. Risk management tools and techniques

• Law, Investigation, and Ethics
  1. Computer crime detection methods
  2. Applicable computer crime, security, and privacy laws
  3. Evidence gathering and preservation methods
  4. Computer crime investigation methods and techniques
  5. Civil, criminal, and investigative law
  6. Intellectual property law
  7. ISC2 and IAB ethics application

• Physical Security
  1. Prevention, detection, and correction of physical hazards
  2. Secure site design, configuration, and selection elements
  3. Access control and protection methods for facility, information, equipment, and personnel

• Operations Security
  1. Resource protection mechanisms and techniques
  2. Operation security principles, techniques, and mechanisms; principles of good practice and limitation of abuses
  3. Operations security preventative, detective, and corrective measures
  4. Information attacks
  5. Access Control Subversion

• Cryptography
  1. Cryptographic concepts, methods, and practices
  2. Construction of algorithms
  3. Attacks on cryptosystems
  4. Ancient cryptography and modern methods
  5. Public and private key algorithms and uses
  6. Key distribution and key management
  7. Digital signature construction and use
  8. Methods of attack, strength of function

• Telecommunications and Network Security
  1. Overview of communications and network security
  2. Voice communications, data communications, local area, wide area, and remote access
  3. Internet/Intranet/Extranet, firewalls, routers, and network protocols
  4. Telecommunication and network security preventative, detective, and corrective measures
  5. System development process and security controls
  6. System development life cycle, change controls, application controls, and system and application integrity
  7. Database structure, concepts, design techniques, and security implications
  8. Object oriented programming
  9. Data warehousing and data mining

• Review and Q&A Session
  1. Review concepts introduced in previous sessions
  2. Answer specific questions or concerns regarding CISSP preparation material

• Testing-Taking Tips and Study Techniques
  1. Tips for additional preparation for the CISSP exam
  2. Additional resources
  3. Techniques for scoring well on the exam

Course Summary

Cisco Hardware: Cisco 1800, 2900, 7200, 10K – ESR, 12K-GSR, CRS, Catalyst 6500 switches, Nexus switches

Other Network Hardware: Juniper MX960’s, CSU/DSU’s, DACS, secondary familiarity with ALU 77xx routers

Transport Protocols: MPLS, Frame-Relay, PPP, Packet over SONET (PoS), Gigabit Ethernet, LAN, WAN, MAN

Circuits: DS1, DS3, OC3, OC12, Ten Gigabit Ethernet

Network Protocols: TCP/IP, MPLS, 802.1Q, QoS, Multicast, Encryption (3DES), GRE tunneling

Routing Protocols: RIP, OSPF, BGP, IS-IS, HSRP/VRRP

Applications/Tools: Openview, Netcool, Infovista, Wireshark, Statseeker, IP management tools, Voyance, Remedy Ticketing, Citrix

Office Automation: Word, Excel, Outlook, Powerpoint

O/S and Software: Windows XP, SSH, VPN Client

SOFTWARE AND INFORMATION SECURITY

CONTENTS

Software Defined as Programs and Data Files

Overview of Current Computer Security Needs

Popular Misconceptions

Threats to software

What are Programs?

What are Data Files?

Software Security Requirements for Environments with Mainframes and

Minicomputers

1. Security officer or Security Administrator
2. Access to Programs and Data
3. Protection of Programs
4. Change Control Procedures

Protection of Information

1. Controlling User Access to Files and Databases
2. Controlling Technician Access to Files and Databases

Protection in Development

Assuring That Damaged or Lost Files Can Be Recovered

Protecting On-Line Files

1. Record Lock on Update
2. Backup Files and System Logs
3. Recovery and Restart
4. Back-out
5. Activity Logs

Assuring that Data in the System is Valid

1. GIGO Reduced
2. Check Digits
3. Range Checks
4. Validity Checks Using Tables

Software Protection in a Decentralized Environment

1. Similarities and Differences to Centralized Environments

Viruses

1. What are Viruses?
2. Protection Against Viruses

HARDWARE ELEMENTS OF SECURITY

CONTENTS

Introduction

Binary Design

1. Pulse Characteristics
2. Circuitry
3. Coding

Parity

1. Vertical Redundancy Checks (VRC)
2. Longitudinal Redundancy Checks (LRC)
3. Cyclical Redundancy Checks (CRC)
4. Self-Checking Codes

Hardware Operations

1. Read-after-Write
2. Dual Read
3. Echo
4. Overflow
5. Hardware Multiply
6. Validity
7. Replication

Interrupts

1. Input/Output (I/O) Interrupts
2. Supervisor Calls
3. Program Check Interrupts
4. Machine Check Interrupts
5. External Interrupts
6. Trapping

Data Storage

1. Main Memory
2. Read-Only Memory (ROM)
3. Secondary Storage

Time

1. Synchronous
2. Asynchronous

Natural Enemies

1. Power Failure
2. Heat
3. Humidity
4. Water
5. Dirt and Dust
6. Radiation
7. Downtime

Data Communications

1. Dial-up Lines
2. Leased Lines
3. Wireless Communication
4. Terminals
5. Cryptography

Backup

1. Personnel
2. Hardware
3. Power
4. Testing

Recovery Procedures

Microcomputer Considerations

1. Physical Damage
2. Theft
3. Power
4. Static Electricity
5. Data Communications
6. Maintenance and Repair

Conclusion

COMPUTER FACILITY PROTECTION

CONTENTS

Introduction

The security Planning Process

1. Critical-Path Analysis
2. Defining the Risk Factors
3. Defining the Costs of Risks
4. Weighing Security Alternatives

Designing Strong Physical Security

1. How to Lay Out Computer and Equipment Rooms
2. Design Considerations
3. Electrical Power
4. Power Line Protection
5. Temperature Control
6. Humidity Control
7. Air Quality
8. Fire Protection, Smoke, and Water Damage
9. Monitors and Sensors
10. Fire Suppression Systems
11. Utilizing the Detectors
12. Protecting the Protection

Protecting Wiring

1. Optical Fiber: Now or Later?
2. Certifying the Wiring and Cabling
3. Controlling Access to Closets and Riser Rooms

Securing Storage Areas

1. Tape and Disk Storage Rooms
2. Forms Storage Rooms

Dealing with Existing Facilities

Protecting External Services

Summary

SECURITY OF COMPUTER DATA, RECORDS, AND FORMS

CONTENTS

Introduction

1. Legal and Other Standards for Safeguarding Vital Records

Controls to Assure Integrity of Records

1. Operating System Controls
2. Controls for Each Application
3. IDs for Terminal Users
4. Passwords
5. Production Time Analysis
6. Data Output
7. Encryption
8. Network System Controls
9. Power Protection
10. Viruses

Backing Up Computer Data

1. What Records to Back Up
2. When to Make Backups
3. Where to Keep Backup Copies
4. How to Save and Transmit Backups to Storage
5. Special Network Issues

Safeguarding Noncomputer Data

1. Records Retention Plans: Scope and Importance
2. Records Retention Principles
3. Records Inventory and Analysis
4. Participation by Legal, Audit, Operating, and Management Personnel
5. Vital Records
6. Legal Validity of Duplicates
7. Where to Keep Records
8. Association Support

Records Destruction Methods

1. In-house
2. Contractor
3. Affidavit
4. Destroying Electronic Data

Forms and Related Supplies

1. Checks
2. Other Forms
3. Supplies

Conclusion

PENETRATING COMPUTER SYSTEMS AND NETWORKS

CONTENTS

Security: More Than a Technical Issue

1. Technical Infrastructure
2. Organizational Culture
3. Data Leakage: A Fundamental Problem

Penetration Techniques

1. Technical
2. Misrepresentation (Social Engineering)
3. Bulletin Board Systems

Countermeasures

1. Strengthening the Perimeter
2. Encryption
3. Restrictions on Access
4. Monitoring
5. Prosecution

The Future of Computer Crime

CONTINGENCY PLANNING AND DISASTER RECOVERY

CONTENTS

Business Continuity: The Survival Instinct

Prerequisites For Contingency Planning

1. Information Backup
2. Management Commitment

Basic Elements of Contingency Plans

1. Defining Contingency Planning Goals
2. Vital Records Program
3. Emergency Response Procedures
4. Emergency Response Guidelines

Backup Requirements

1. Hardware Backup
2. Software and Information Backup
3. Procedures and Documentation
4. Backup for Related Activities

Alternatives for Backup Planning

1. Vendor or Third-Party Resupply of Hardware
2. On-the-Shelf Hardware
3. Mutual Aid Agreements
4. In-House Dual Sites
5. Third-Party Hot Sites
6. Third-Party Cold Sites and Warm Sites
7. Alternative Ownership for Hot and Cold Sites
8. Mobile Backup Sites
9. Documenting the Disaster Recovery Planning Process

Management Responsibility

1. Strategies
2. Monitoring and Testing Results
3. Reviewing and Updating Plans

DEFINITION OF CONTROL REQUIREMENTS

It is through the use of a set of clearly defined requirements that an effective and efficient management controls program in implemented. A set of 55 control requirements has been synthesized from the governing directives. This chapter describes these requirements and concludes with cross-references to the particular sections of the directives from which they were derived. The 55 control requirements are grouped under the four categories described in chapter 2:

• Application controls
• General controls
• Administrative controls
• Required system functions

Application Controls (1-7)

1. Transactions are authorized-the information entered into the system must be

authorized by management for entry.

2. Transactions are valid-the information system must process only data that

represent legitimate events.

3. Information is complete-all valid data, and only those data, are to be processed by the

information system.

4. Information is accurate-data must be free from error during all phases of processing,

within defined levels of tolerance.

5. Information is timely-data must reflect the correct cycle, version, or period for the

processing being performed. Financial management data shall be recorded as soon

as practical after the occurrence of the event, and relevant preliminary data shall be

made available to managers promptly after the end of the reporting period.

6. System and data are secure-the data files, computer programs, and equipment must

be secure from unauthorized, including accidental changes; unauthorized disclosure

and use; and physical destruction. Detective and corrective controls may also apply

depending on the sensitivity/classification of the data.

7. System is auditable-an information trail must exist that establishes individual

accountability for transactions and permits an analysis of breakdowns in the system

and other anomalies.

General Controls (8-33)

8. System controls exist-for each information system, the controls system should ensure

that appropriate safeguards are incorporated into the system, tested before

implementation, and tested periodically after implementation.

9. Five-year system plan developed-a plan featuring specific milestones with obligation

and outlay estimates for every system of the agency (both current and under

development).

10. Contingency plan/disaster recovery plan exists-agencies shall develop, maintain,

and test disaster recovery and continuity of operations plans for their data center(s).

The plan’s objective is to provide reasonable continuity of data processing support

support is normal operations are prevented.

11. Vulnerability assessment conducted-a review of the susceptibility of a program

or function to waste, loss, unauthorized use, or misappropriation. Includes both

vulnerability assessments or their equivalents, such as an audit.

12. Cost/benefit analysis exists-a review to determine and compare the benefits of the

proposed system or control against the cost of developing and operating the

system or control. Only those proposals were the expected benefits exceed the

estimated costs by 10 percent should be considered for development unless

otherwise specifically required by statute.

13. Reasonable assurance applied-reasonable assurance equates to a satisfactory

level of confidence, based on management’s judgment of the cost/benefits of the

controls versus the recognized risks. (Practically, it is recognized that it is not

cost effective to attain 100 percent assurance.)

14. Control objectives defined-goals established to address a known vulnerability or

promote reliability or security of a system.

15. Control techniques selected-methods to satisfy one or more control objectives by

preventing, detecting, and/or correcting undesired events. More commonly referred

to as “controls.”

16. Adequacy of security requirements determined-agencies shall ensure that the

appropriate technical, administrative, physical, and personnel security requirements

are included in specifications for the acquisition or operation of facilities, equipment,

or software.

17. Security specifications exist-internal control and security objectives must be stated

as design specifications and approved by management before development

(programming) of the application system can begin.

18. Adequacy of security specifications determined-proof that the design specifications

satisfy control objectives must be presented to management to authorize computer

program development and/or modification (programming).

19. System design approved-before development (programming) of the system is

authorized, management must be assured that the system design satisfies the user’s

requirements and incorporates the control requirements. The design review must

be documented and be available for examination.

20. Controls documented-internal control systems, including all transactions and

significant events, are to be clearly documented and be readily available for

examination.

21. System documentation exists-documentation must reflect the current state of the

system as it is being operated. The documentation must be sufficient to ensure

effective operation by users and system maintenance by programmers.

22. System contingency plan exists-plans must be developed, documented, and tested

to assure that users of the system can continue to perform essential functions in the

event the information technology support for their application is interrupted. The

plan should also be consistent with the agency wide disaster recovery plan.

(See No. 20)

23. Controls tested-before a new or modified system is placed into production status,

the controls should be tested to prove that the controls operate as intended. The

test results should be documented and sent to management for approval to

implement the system.

24. System test conducted-before implementation of the system is authorized, evidence

that the system operates as intended must be presented to management. This

evidence must also include the results of controls testing. The test results must

be documented and available for examination.

25. Test results documented-the documentation should demonstrate that the control

and functionality requirements operate as intended.

26. System certified prior to implementation-before a system can be implemented, an

agency official shall certify that the system meets all applicable Federal policies,

regulations, and standards, as well as state that test results demonstrate that

installed controls are adequate for the application.

27. Controls review performed-periodically, the controls of each system must be tested

to determine if the controls still function as intended. The results of these tests must

be documented and available for examination.

28. Periodic reviews and re-certifications are conducted-at least every 3 years, agencies

shall review applications and re-certify the adequacy of the safeguards. The

re-certifications shall be documented and be available for review.

29. Periodic risk assessment are conducted-agencies shall conduct periodic risk

assessments at each data center to provide a measure of the relative vulnerabilities

and threats to the data center so that security resources can be effectively

distributed to minimize potential loss.

30. Corrective action taken; audit findings resolved promptly-managers are to promptly

evaluate audit findings and recommendations, determine proper corrective actions,

and complete those actions.

31. Annual report on internal controls prepared-yearly, each agency must determine if

its systems of internal controls are in compliance with the Comptroller General’s

standards.

32. Annual report on accounting systems prepared-yearly, each agency must determine

if its accounting systems are in compliance with the Comptroller General’s

standards

33. Annual reports to President sent-the head of each agency must sign both annual

reports and transmit them to both the President and Congress.

Administrative Controls (34-45)

34. Organizational responsibility is affixed-the assignment of responsibilities for

planning, directing, and controlling the controls evaluation process for the agency/

segment is specified. The programs and functions conducted in each of the

components have also been specified.

35. Separation of duties exists-key duties and responsibilities in authorizing,

processing, recording, and reviewing transactions should be separated among

individuals.

36. Supervision is provided-qualified and continuous supervision is to be provided to

ensure that control requirements are met.

37. Supportive attitudes exist-managers and employees are to maintain and demonstrate

a positive and supportive attitude toward controls at all times.

38. Personnel are competent-managers and employees are to have personal and

professional integrity and are to maintain a level of competence that allows them

to accomplish their assigned duties, as well as understand the importance of

developing and implementing good controls.

39. Security training program exists-agencies shall establish a security awareness and

training program so that agency and contractor personnel involved with information

systems are aware of their security responsibilities and know how to fulfill them.

40. Written policies and procedures exist-each agency shall establish administrative

procedures to enforce the intended functioning of controls, including provisions

that performance appraisals reflect execution of control-related responsibilities.

41. Personnel security policies exist-each agency should establish and manage

personnel security procedures, including requirements for screening agency and

contractor personnel designing, developing, operating, maintaining, or using the

system. The level of screening depends on the sensitivity/classification of the

system data.

42. Individual responsibilities are affixed-assignments of responsibility should be made

for internal controls, accounting systems, and data center security on an agency wide

and individual system/center basis.

43. Custody/accountability assigned-the official whose function is supported by an

information system is responsible and accountable for the products of the

information system.

44. Record retention procedures exist-each agency must establish procedures as to

retention, archiving, and destruction of data files.

45. Release of information provided for-each agency must have procedures in place

so that information can be extracted from systems to meet requests made under

the Privacy Act and the Freedom of Information Act.

Required System Functions (46-55)

46. System is efficient-the benefits of the system exceed the costs to develop or operate

the system.

47. System operation is economical-uneconomical systems must be identified and

phased out.

48. System is effective-periodically, each system should be reviewed to determine if the

system still meets organizational needs.

49. System supports management-data shall be recorded and reported in a manner to

facilitate carrying out the responsibilities of both program and administrative

managers.

50. System supports budget-financial management data shall be recorded, stored, and

reported to facilitate budged preparation, analysis, and execution.

51. Comparability/consistency provided for-financial management data shall be recorded

and reported in the same manner through the agency, using uniform definitions that

are synchronized with budgeting and used consistently for each reporting period.

52. Information is useful/relevant-data capture and reports shall be tailored to specific

user needs, and if usage does not justify costs, data or reports shall be terminated.

53. System provides full disclosure-data shall be recorded and reported to provide

users of the data with complete information about the subject of the report per OMB,

Treasury, and Privacy Act standards.

54. Individual access allowed-systems must be able to extract any data contained in the

data base about individuals to meet requests to see the data by that individual or

his/her representative when required by the Privacy Act.

55. Network compatibility exists-any systems developed or acquired must be compatible

with any existing system that will be linked to the new system.