Detailed information about Security management concepts and principles

1. SECURITY MANAGEMENT
CONCEPTS AND PRINCIPLES
SECURITY & RISK MANAGEMENT
MODULE 5
DIVYA TIWARI
MEIT
TERNA ENGINEERING COLLEGE

2. INTRODUCTION
• Security management concepts and principles are inherent elements in a security policy and
solution deployment.
• They define the basic parameters needed for a secure environment.
• They also define the goals and objectives that both policy designers and system
implementers must achieve to create a secure solution. It is important for real-world
security professionals.
• The primary goals and objectives of security are contained within the CIA Triad, which is
the name given to the three primary security principles:
1. Confidentiality
2. Integrity
3. Availability
• A complete security solution should adequately address each of these tenets.
• Vulnerabilities and risks are also evaluated based on the threat they pose against one or
more of the CIA Triad principles.
• Thus, it is a good idea to be familiar with these principles and use them as guidelines for
judging all things related to security.

3. MEASURING ROI ON SECURITY
• Future security system improvements showing the return on investment (ROI) is one of the
most important tools you must show the need for system improvements.
• The return on investment calculation will compare the net benefits of a project to total
project costs.
• The benefits to a new system can be obvious- the improved safety for building occupants
and improved security for company assets.
• To prepare a ROI case for your security project the first step is to collect data to show the
costs and benefits for the proposed system.
• What are the costs of the project?
• The cost of not doing the project. What happens in the organization if you do not
implement the upgrades?
• After collecting all of the costs it is time to focus on the benefits. Benefits of a security
system upgrade can be direct or indirect.

4. • Once you have compiled all the cost and benefit information it is time to calculate the
return on investment.
ROI = (
𝑩𝒆𝒏𝒆𝒇𝒊𝒕 𝒂𝒇𝒕𝒆𝒓 𝑺𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕 −𝑪𝒐𝒔𝒕 𝒐𝒇 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕
𝑪𝒐𝒔𝒕 𝒐𝒇 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕
) x 100

5. SECURITY PATCH MANAGEMENT
• Security patches protect the security of devices and the data on them by applying the latest
updates that respond to the latest threats.
• In software engineering a patch refers to small adjustments to the code of software.
• Patch updates one component of the software to fix a bug or error discovered after product
release.
• Security patches address vulnerabilities in the software cybercriminals might use to gain
unauthorized access to device and data.
• Security patches for the operating system (OS) of device like Windows, iOS, Android are
crucial because an OS vulnerability can have far-reaching implications.
• For individuals and their devices, effective patch management can be as simple as turning
on automatic updates.
• Google and Apple, for example, make it easy to have smartphone manage the work of
keeping the OS and all of your apps patched to the most recent version.

6. • To check Android device’s security patch level, Google offers an easy online tool.
• For organizations, patch management they need to oversee a wide range of equipment,
often in different locations.
• A patch that requires time to install may also interrupt the functioning of the device, so it’s
vital to plan the timing of patches around the schedules of the people using the device.
• For systems that need to operate 24/7, patching is not an easy process.
Importance of Patch Management
1.Reduce exposure to cyberattacks
1.Avoid lost productivity
1.Protect your data
1.Protect customer data
1.Protect others on your network

7. PURPOSE OF INFORMATION SECURITY
MANAGEMENT
• The purpose of the information security management process is to align IT security with
business security and ensure that the confidentiality, integrity and availability of the
organization’s assets, information, data and IT services always matches the agreed needs of
the business.
• The Objectives of Information security management are:
1. Protect the interests of those relying on information.
2. Protect the systems and communications that deliver the information.

8. BUILDING BLOCKS OF INFORMATION
SECURITY
• Encryption: Modification of data for security reasons prior to their transmissions so that it
is not comprehensible without the decoding method.
• Cipher: Cryptographic transformation that operates on characters or bits of data.
• Cryptanalysis: Methods to break the cipher so that encrypted message can be read.
• Electronic Signature: Process that operates on a message to assure message source
authenticity, integrity and non-repudiation.
• Non-Repudiation: Methods by which the transmitted data is tagged with sender’s identity
as a proof so neither can deny the transmission.
• Steganography: Method of hiding the existence of data. The bit map images are regularly
used to transmit hidden messages.
• Identification: It is a method by which a user claims his identity to a system.

9. • Authentication: It is the method by which a system verifies the identity of a user or
another system.
• Accountability: It is the method by which a system tracks the actions performed by a user
or a process.
• Authorization: It is a method by which a system grants certain permissions to a user.
• Privacy: It is protection on individual data and information.

10. OVERVIEW OF SSE CMM
• The Systems Security Engineering Capability Maturity Model (SSE-CMM) describes
the essential characteristics of an organization’s security engineering process that must
exist to ensure good security engineering.
• The model is a standard metric for security engineering practices covering:
1. The entire life cycle, including development, operation, maintenance, and
decommissioning activities.
2. The whole organization, including management, organizational, and engineering
activities.
3. Concurrent interactions with other disciplines, such as system, software, hardware,
human factors, and test engineering; system management, operation, and
maintenance.
4. Interactions with other organizations, including acquisition, system management,
certification, accreditation, and evaluation.

11. • The objective of the SSE-CMM Project is to advance security engineering as a defined,
mature, and measurable discipline.
• The SSE-CMM model and appraisal methods are being developed to enable:
1. Focused investments in security engineering tools, training, process definition,
management practices, and improvements by engineering groups.
2. Capability-based assurance, that is, trustworthiness based on confidence in the
maturity of an engineering group’s security practices and processes.
3. Selection of appropriately qualified providers of security engineering through
differentiating bidders by capability levels and associated programmatic risks.
• The scope of the SSE-CMM encompasses the following:
1. The SSE-CMM addresses security engineering activities that span the entire trusted
product or secure system life cycle, including concept definition, requirements analysis,
design, development, integration, installation, operations, maintenance, and
decommissioning.
2. The SSE-CMM applies to secure product developers, secure system developers and
integrators, and organizations that provide security services and security engineering.

12. 3. The SSE-CMM applies to all types and sizes of security engineering organizations, such
as commercial, government, and academic.
Benefits of using
SSE-CMM
To Engineering Organizations To Acquiring Organizations To Evaluation Organizations

13. SSE-CMM RELATIONSHIP TO OTHER
INITIATIVES

14. CAPABILITY LEVELS
• Capability Level 1 – Performed Informally
• Capability Level 2 – Planned and Tracked
• Capability Level 3 – Well Defined
• Capability Level 4 – Quantitatively Controlled
• Capability Level 5 – Continuously Improving

15. SECURITY ENGINEERING PROCESS
OVERVIEW
Security Engineering Process has three main areas

16. Risk
security risk process involves threats, vulnerabilities and impact

17. Engineering
security is an integral part of the overall engineering process

18. Assurance
Assurance process builds an argument establishing confidence

19. CONFIGURATION MANAGEMENT
• An information system infrastructure is a complex and evolving system.
• Changes to the system affect its ability to effectively enforce the security policies and
therefore protect the organization’s assets.
• The process of managing the changes to the system and its components is referred to as
configuration management.
• Configuration management is the process of identifying configuration items, controlling
their storage, controlling change to configuration items, and reporting on their status.
1. Configuration Items—Configuration items (CIs) are unique work products that are
individually controlled, tracked, and reported on.
2. CI Protection—Configuration items must be protected from unauthorized changes.
Without protection of the CIs, a configuration management system cannot function.
3. Change Control—There must exist a process by which changes to configuration items
are reviewed, approved, and controlled.

20. 4. Status Reporting—Configuration management systems must be able to report the status
of any configuration item and its history of changes. Moreover, the reporting feature
must be capable of generating a version of the system based on the correct version of
each of the configuration items.

21. CONFIGURATION MANAGEMENT
FRAMEWORK

22. MU Exam Questions
May 2017
• Give a brief overview of the SSE-CMM maturity model. 10 marks
Dec 2017
• Explain role of configuration management in security of an organization. Give the
configuration management framework. 10 marks
May 2018
• What is security engineering? Give a brief overview of the SSE-CMM model. 10 marks
• Discuss role of Configuration Management in the security of an organization. 10 marks
Dec 2018
• Discuss role of CM in the security of an organization. 10 marks
May 2019
• Explain role of configuration management in security of an organization. Give the
configuration management framework. 10 marks