IT Security Models

What to Learn

What is a security model or framework?

The types of organisational and operational security models

Industry specific security models and standards

A range of established security models

Some function specific security models

A closer look at some data classification models

“Everything that can be invented, has been invented”

(Punch Magazine, 1899) (Crouch, n.d.)

 Don’t reinvent the wheel
Yep, we’re saying it again!

Formal models provide standard or accepted way

of doing things.
– Developed or ratified by governing bodies,
professional groups, standards bodies, government
agencies.

If you use a good model, all you need to do is justify

WHY you chose that model
– No need to justify every minor decision
Image: CC0 via pixabay.com
Established models help support your decisions
 A broad range of models
Models, standards and practices can cover a wide variety of industries,
technologies, scenarios and situations.
Security models can be used to guide business practices, for example:
‒ Australian Cyber Security Centre’s Information Security Manual
‒ ISO 27000
Some models may be very specific to certain security requirements:
‒ access control model
‒ document classification model
‒ secure computing architecture
‒ “secure boot” model
Some industry group also use standards to check compliance.
– The Payment Card Industry Data Security Standard (PCI DSS)
 Formal security management models
InfoSec models are standards that are used for reference or
comparison and often serve as the stepping-off point for
emulation and adoption What
One way to select a methodology is to adapt or adopt an are
existing security management model or set of practices
security
Because each InfoSec environment is unique, you may need
to modify or adapt portions of several frameworks; what models?
works well for one organization may not precisely fit
another
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Blueprints, frameworks and security models
The communities of interest accountable for the security of an organization’s
information assets must design a working security plan and then
implement a management model to execute and maintain that plan

This may begin with the creation or validation of a security framework,

followed by an InfoSec blueprint that describes existing controls and
identifies other necessary security controls
framework, model
and blueprint are
A framework or security model is the outline of the more thorough and
organization-specific blueprint
closely related
These documents form the basis for the design, selection, and initial and
ongoing implementation of all subsequent security controls, including
policy, SETA and technologies

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Blueprints, frameworks and security models
To generate a usable security blueprint, most organizations draw on
established security frameworks, models, and practices
Another way to create a blueprint is to look at the paths taken by other
organizations
In this kind of benchmarking, you follow the recommended practices or
industry standards
Benchmarking can help to determine which controls should be
considered, but it cannot determine how those controls should be
implemented in your organization
Adapted from: Management of Information Security, 5th Edition - © Cengage Learning
 From models to practice
Remember:
‒ models are standards or ideals for imitation.
‒ practices are the customs and procedures of your organisation.

If you decide to develop your own models, you need to also prove your
models are secure and your decisions reasonable. (How?)

Building your practices on well established, well tested and trusted

models means you can focus on the job of implementing models.
 Benchmarking
Benchmarking can be used as an internal tool to compare
current performance against past performance and to
look for trends of improvement or areas that need
additional work
In information security, two categories of benchmarks are
used
1. Standards of due care and due diligence
2. Recommended practices or best security practices
Best practices include a sub-category of practices—called
the gold standard—that are general regarded as “the(National InstituteMass Standards
of Standards and Technology)
best of the best”
Source: Management of Information Security, 5th Edition - © Cengage Learning
 1. Standards of due care/due diligence
For legal reasons, certain organizations may be compelled to adopt a stipulated
minimum level of security, as to establish a future legal defense they may
need to verify that they have done what any prudent organization would do
in similar circumstances; this is known as a standard of due care
Due diligence requires that an organization ensure that the implemented
standards continue to provide the required level of protection
Organizations must make sure that they have met a reasonable level of security
in all areas and that they have adequately protected all information assets
before making efforts to improve individual areas to meet the highest
standards
Source: Management of Information Security, 5th Edition - © Cengage Learning
 2. Selecting recommended practices
Industries that are regulated by laws and standards and are
subject to government or industry oversight are required
to meet the regulatory or industry guidelines in their
security practices

For other organizations, government and industry guidelines

can serve as excellent sources of information about what
is required to control InfoSec risks
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Selecting recommended practices cont …
When choosing from among recommended practices for your
organization, consider the following:
Does your organization resemble the identified target organization of the
recommended practice?
Are you in a similar industry as the target?
Do you face similar challenges as the target?
Is your organizational structure similar to the target?
Are the resources you can expend similar to those called for by the
recommended practice?
Are you in a similar threat environment as the one assumed by the
recommended practice?
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Limitations to benchmarking and
recommended practices
Barrier to benchmarking in information is secrecy (a successful attack is
viewed as an organizational failure, and is kept secret)
Another barrier to benchmarking is that no two organizations are identical
Organizations that offer products or services in the same market may differ
dramatically in size, composition, management philosophy, organizational
culture, technological infrastructure, and planned expenditures for
security
A third problem with benchmarking is that recommended practices are a
moving target
Knowing what happened a few years ago, which is typical in benchmarking,
does not necessarily tell you what to do next
Adapted from: Management of Information Security, 5th Edition - © Cengage Learning
 Let’s get this party started

Waahooo!

Up next: some existing security management standards, models and frameworks

 Existing security models and frameworks
Many security standards, models and frameworks have been
freely published by government departments, standards
groups, and private organisations.
Some organisations may choose an existing framework based
on their clients, for example:
– a company that develops products for the Australian Department of
Defence may try be compliant with Australian Information Security Manual
(ISM)
– a point-of-sale system manufacturer may need to demonstrate compliance
with the PCI DSS (Payment Card Industry Data Security Standard).
 Australian Government
Information Security Manual (ISM)
Dozens of guidelines for
– physical security
– communications systems
– software development
– ICT equipment management
– personnel security
(and much more)

Published by the Australian

Cyber Security Centre
 Australian Government
Information Security Manual (ISM)
“...assist organisations in using their risk management framework to protect their
information and systems from cyber threats”

“...based on the experience of the Australian Cyber Security Centre (ACSC) and
the Australian Signals Directorate (ASD)”

“discusses both governance and technical concepts in order to support the

protection of organisations’ information and systems”

uses a “risk-based” approach

 NIST security models and frameworks
NIST documents have two notable advantages:
they are publicly available at no charge
they have been available for some time and thus have been broadly reviewed
(and updated) by government and industry professionals
– SP 800-12, Computer Security Handbook
– SP 800-14, Generally Accepted Security Principles & Practices
– SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems
– SP 800-30, Rev. 1, Guide for Conducting Risk Assessments
– SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and
Organizations
– SP 800-53A, Rev. 4, Assessing Security and Privacy Controls in Federal Information
Systems and Organizations: Building Effective Assessment Plans

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

NIST SP 800-100 Information Security handbook

• Provides managerial guidance for

establishing and implementing of an
information security program
• Thirteen areas of information security
management
• Provide for specific monitoring activities for each task
• Tasks should be done on an ongoing basis
• Not all issues are negative
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-100.pdf
 Payment Card Industry Data Security Standard

A set of practices defined and administered by

the Payment Card Industry Security
Standards Council (PCI SSC)
PCI DSS
PCI SSC established by the major credit card
companies: Visa, MasterCard, American
Express, JCB international and Discover.
 PCI DSS

The PCI SSC:

...maintains, evolves, and promotes the Payment Card Industry
Security Standards. It also provides critical tools needed for
implementation of the standards such as assessment and scanning
qualifications, self-assessment questionnaires, training and
education, and product certification programs. (PCI Security
Standards Council, n.d.)
 PCI DSS
Area 1: Build and maintain a secure network and systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Area 2: Protect cardholder data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Area 3: Maintain a vulnerability management program

5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 PCI DSS
Area 4: Implement strong access control measures
7. Restrict access to cardholder data by a business’s need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Area 5: Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Area 6: Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 The ISO 27000 series
ISO 27000 series are a compilation of international standards all related to
Information Security

 One of the most widely referenced security models

 Standard framework for information security that states organizational
security policy is needed to provide management direction and
support
 Purpose is to give recommendations for information security
management
 Provides a starting point for developing organizational security
 The ISO 27001/2

ISO/IEC 27002:2013 provides information on 14 security control clauses

and addresses 35 control objectives and more than 110 individual
controls

Its companion document, ISO/IEC 27001:2013, provides information

for how to implement ISO/IEC 27002 and set up an Information
Security Management System (ISMS)

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 The ISO 27000 series
 ISO/IEC 27000—Information security management systems;
overview and vocabulary
 ISO/IEC 27001—Information technology; security techniques;
information security management systems
 ISO/IEC 27002—Code of practice for information security
management
 ISO/IEC 27003—Information security management system
implementation guidance
 ISO/IEC 27004—Information security management; measurement
 ISO/IEC 27005—Information security risk management
 The ISO 27000 series
 ISO/IEC 27006—Requirements for bodies providing audit and
certification of information security management systems
 ISO/IEC 27007—Guidelines for information security
management systems auditing (focused on the management
system)
 ISO/IEC TR 27008—Guidance for auditors on ISMS controls
(focused on the information security controls)
 ISO/IEC 27010—Information security management for inter-
sector and inter-organizational communications
 ISO/IEC 27011—Information security management guidelines for
 The ISO 27000 series
 ISO/IEC 27018—Code of practice for protection of
personally identifiable information (PII) in public clouds
acting as PII processors
 ISO/IEC 27031—Guidelines for information and
communication technology readiness for business
continuity
 ISO/IEC 27032—Guideline for cybersecurity
 ISO/IEC 27033-1—Network security—Part 1: Overview
and concepts
 ISO/IEC 27001

major process
steps
 Control Objectives for Information and related
Technology
Control Objectives for Information and related Technology (COBIT) also provides advice
about the implementation of sound controls and control objectives for InfoSec
COBIT was created by the Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI) in 1992
COBIT 5 provides five principles focused on the governance and management of IT in an
organization:
– Principle 1: Meeting Stakeholder Needs
– Principle 2: Covering the Enterprise End-to- End
– Principle 3: Applying a Single, Integrated Framework
– Principle 4: Enabling a Holistic Approach
– Principle 5: Separating Governance From Management
COBIT
 Information Technology Infrastructure Library (ITIL)
The Information Technology Infrastructure Library (ITIL) is a collection
of methods and practices useful for managing the development and
operation of information technology infrastructures

The ITIL has been produced as a series of books, each of which covers
an IT management topic

Since it includes a detailed description of a many significant IT-related

practices it can be tailored to many IT organizations

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Information Security Governance Framework

The Information Security Governance Framework is a managerial model

which provides guidance in the development and implementation of
an organizational information security governance structure

The core of the Information Security Governance Framework includes

recommendations for the responsibilities of members of an
organization

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Compliance Frameworks

Compliance requires risk-based controls to ensure the confidentiality, integrity

and availability of information that is stored, transferred or processed.

Security standards and regulations that organisations adhere to vary by industry.

Building comprehensive compliance programs requires ongoing risk

management so that all potential threats are identified and remediated.
 ZZzzzzzzz.....______

Wake up, I think they’re talking about us!

Up next... Using technical models to manage security

 Function specific security models

Similar to organisational security models,

function specific security models exist to
formalise and analyse security components such
as:
Access control
Data classification schemes
Security architecture

Image: CC0 via pixabay.com

 Access control models
Access controls regulate the admission of users into trusted
areas of the organization—both the logical access to the
information systems, or the physical access to the
organization’s facilities

Access control is maintained by means of a collection of

policies, programs to carry out those policies, and
technologies that enforce policies
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Access control models
The general application of access control comprises four
processes:
obtaining the identity of the entity requesting access to a logical or
physical area (identification)
confirming the identity of the entity seeking access to a logical or
physical area (authentication)
determining which actions an authenticated entity can perform in
that physical or logical area (authorization)
and finally, documenting the activities of the authorized individual
and systems (accountability)
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Access control models
Access control is built on several key principles:
Least privilege: The principle by which members of the organization
can access the minimum amount of information for the minimum
amount of time necessary to perform their required duties
Need to Know: Limits a user’s access to the specific information
required to perform the currently assigned task, and not merely to
the category of data required for a general work function
Separation of Duties: A control requiring that significant tasks be split
up in such a way that more than one individual is responsible for
their completion
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Categories of access controls and examples

Source: Management of Information Security, 5th Edition - © Cengage Learning

 NIST control categories
Management — Controls that cover security processes that are designed by
strategic planners, integrated into the organization’s management practices,
and routinely used by security administrators to design, implement, and
monitor other control systems
Operational (or Administrative) — Controls that deal with the operational
functions of security that have been integrated into the repeatable
processes of the organization
Technical — Controls that support the tactical portion of a security program and
that have been implemented as reactive mechanisms to deal with the
immediate needs of the organization as it responds to the realities of the
technical environment

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Mandatory Access Controls (MACs)
A Mandatory Access Control (MAC) is required and is structured and
coordinated within a data classification scheme that rates each
collection of information as well as each user

These ratings are often referred to as sensitivity levels or classification

levels

When MACs are implemented, users and data owners have limited
control over access to information resources

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Access Control Models: Bell-LaPadula
Bell- LaPadula (No Read up and No Write Down model)

Designed to protect the confidentiality of information. Typically tied

to security clearance and data classification.
• 1st Rule: The Simple Security property (No Read Up); should not be able to read
information higher than your security clearance.
• 2nd Rule: The Start Security property (No Write Down); Should not be bale to
write lower than your security clearance

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Access Control Models: Clark-Wilson
Clark-Wilson (Integrity Model)
Primarily concerned with information integrity.
• No changes by
Provides a foundation for specifying and analysing an integrity policy for unauthorised
information systems.
subjects
Protect integrity, based on two concepts • No unauthorised
1. Well-formed transactions change by
authorised
2. Separation of duties. No one person performs all required tasks to
complete a business function or process. subjects
relies on change control to limits interactions
 Shhh.. It’s a secret!

“... shut up!”

Up next... Models for classifying data

 Quick detour ….

• Data owner:
responsible for the security and use of a particular set of
information
• Data custodian: Data
responsible for storage, maintenance, and protection of Responsibilities
information
• Data users:
end users who work with information to perform their daily jobs
supporting the mission of the organisation
 Data classification models
Data owners must classify the information assets for which they are responsible and
review the classifications periodically
Australian Government Attorney-General’s Department defines a multi purpose,
multi level classification scheme
‒ Divides information in to official and unofficial categories.
‒ Official information can be classified as sensitive, protected, secret or top-secret.
The U.S. military classification scheme four-level classification scheme as defined in
Executive Order 13526 (2009). Similar to Australian scheme.
Simple scheme for other organizations:
‒ Public
‒ For official (or internal) use only
‒ Confidential (or Sensitive)

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

The AGD Protective Security Policy Framework

Published by the Australian Government Attorney-General’s Departmen

t (AGD).

“details how entities correctly classify their information and adopt

handling arrangements that guard against information compromise”

Framework to identify information assets, in order to develop

protective security controls.
 Security clearance to access classified information
In a security clearance structure, each user of an information asset is
assigned an authorization level that indicates the highest level of
information classification they may access

Most organizations have developed roles and corresponding security

clearances, so individuals are assigned into authorization levels
correlating with the classifications of the information assets

In the need-to-know principle, regardless of one’s security clearance, an

individual is not allowed to view data simply because it falls within that
individual’s level of clearance
Source: Management of Information Security, 5th Edition - © Cengage Learning
 AGD - Protective Security Policy Framework

Source: Australian Government Attorney-General’s Department, 2018

 AGD - Protective Security Policy Framework

Source: Australian Government Attorney-General’s Department, 2018

 AGD - Protective Security Policy Framework

Source: Australian Government Attorney-General’s Department, 2018

Information Classification – Assessing Value
Deciding on a Security Classification (assessing value)
 How valuable is the information?
 Is the information subjective or objective?
 How critical is the information to the ongoing operations of the organisation?
 How sensitive is the information?
 How many personnel are authorised to have access to the information?
 What could or would happen if an unauthorised person accessed the information?
Information Classification

Does the organization require a three,

four or five tier system?
Consider:
 Controls and safeguards are
Determine a
expensive classification system
 Controls and safeguards require appropriate to the
ongoing education and training organization
 There is an ongoing battle between
security vs. convenience
 ISO/IEC 27001:2015
Source: ISO/IEC 27001:2015 Annex A Table A1 Information Classification

A.8.2.1 Classification of Control

Information Information shall be classified in terms of legal requirements, value,
criticality and sensitivity to unauthorised disclosure or modifications

A.8.2.2 Labelling of Control

Information An appropriate set of procedures for information labelling shall be
developed and implemented in accordance with the information
classification scheme adopted by the organisation

A.8.2.3 Handling of Procedures for handling assets shall be developed and implemented
Assets in accordance with the information classification scheme adopted
by the organisation
 Supporting Classification Systems

Markings: Used to identify the value of data and display its

classification, includes metadata.
Access (controls): Used to allow access to information based on
classification
Staff Awareness: Should be simple enough to navigate and rules
should be clear. Classification system should not be to complicated.
All staff should be trained in classification and handling of
information
Disposal: How should the asset be disposed
Storage: How should the asset be stored
Marking classified documents with cover sheets

But.. Who on earth prints documents these days?

Consider: how do you mark digital documents?
Example Schema
Classification Description Information Asset Label / marking Access Disposal
Category
public Information that may be advertisements, brochures, published Public Use everyone General waste
distributed to the public annual accounts, web pages
without causing damage to none No additional controls
the organization
Internal Information whose Most corporate information falls into INTERNAL USE Staff only 'Paper documents: shred.
unauthorized disclosure, this category. ONLY
particularly outside the Electronic data: erase or
organization, would be Departmental memos, information on degauss magnetic media.
inappropriate and internal bulletin boards, training Send CDs, DVDs, dead hard
inconvenient. materials, policies, operating Apply to bottom left drives, laptops etc. to IT for
procedures, work instructions, of page appropriate disposal
guidelines, \ reports, reports, contracts,
Service Level Agreements, internal
vacancy notices, intranet Web pages

confidential Highly sensitive or valuable Passwords and PIN codes, credit / “CONFIDENTIAL” Access Paper documents: shred
information, both proprietary debit card numbers, personal control groups using an approved cross-cut
and personal. Must not be information (such as employee HR – dedicated shredder. Electronic data:
disclosed outside of the records, accounting data, other highly staff erase. Dead hard drives,
organization without the sensitive or valuable information, IPP Apply to bottom left laptops etc. to IT for disposal.
explicit permission of a corner of each page.
Director-level senior
manager.

Source: Information Classification Matrix and Handling Guide, 2009, ISO27001security.com

 References
Australian Cyber Security Centre. (2019, January). Australian Government Information Security Manual. Retrieved
from
https://cyber.gov.au/business/publications/australian-government-information-security-manual-ism/pdf/Australian_G
overnment_Information_Security_Manual.pdf
Australian Government Attorney-General’s Department. (2018). Protective Security Policy Framework. Retrieved
from
https://www.protectivesecurity.gov.au/information/sensitive-classified-information/Documents/pspf-infosec-08-sensiti
ve-classified-information.pdf
Crouch, D. (2011). Tracing the Quote: Everything that can be Invented has been Invented. Retrieved 10 February
2019, from
https://patentlyo.com/patent/2011/01/tracing-the-quote-everything-that-can-be-invented-has-been-invented.html
Hubbard, D. W., & Seiersen, R. (2016). How to Measure Anything in Cybersecurity Risk. Hoboken, NJ, USA: John
Wiley & Sons, Inc. https://doi.org/10.1002/9781119162315
Macquarie dictionary : Australia’s national dictionary online. (2003). [North Ryde, N.S.W.]: Macquarie Library.
PCI Security Standards Council. (n.d.). Official PCI Security Standards Council Site - Verify PCI Compliance,
Download Data Security and Credit Card Security Standards. Retrieved 10 February 2019, from
https://www.pcisecuritystandards.org/about_us/
Punch Magazine. (1899). Joke: The Coming Century.
Whitman, M. E., & Mattord, H. J. (2016). Management of Information Security. Mason, OH,, UNITED STATES:
Cengage Learning. Retrieved from http://ebookcentral.proquest.com/lib/ecu/detail.action?docID=5231253