Security Process

The Importance of Policies and Procedures

John J. Fay , David Patterson , in Contemporary Security Direction (Fourth Edition), 2018

Security Procedure

A security procedure is a fix sequence of necessary activities that performs a specific security task or function. Procedures are normally designed as a series of steps to be followed as a consequent and repetitive approach or cycle to accomplish an end upshot. Once implemented, security procedures provide a ready of established actions for conducting the security affairs of the system, which will facilitate preparation, procedure auditing, and procedure comeback. Procedures provide a starting indicate for implementing the consistency needed to decrease variation in security processes, which increases control of security inside the arrangement. Decreasing variation is likewise a skillful way to eliminate waste, improve quality, and increase performance within the security department.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780128092781000244

Security Policy Overview

Craig Wright , in The It Regulatory and Standards Compliance Handbook, 2008

Developing a Security Policy

The aim of this process is to develop policies and procedures that are designed to run across the business organization needs of the organization. This process should provide a framework under which all security architecture pattern, implementation and management tin exist accomplished.

Security policy and procedures should exist created from information collected from the organization and its staff. To determine what your security requirements are, is best achieved by a combination of:

The results of an information asset inventory

Interviews with information nugget owners

Interviews with It security staff

Interviews with organisation managers.

The side by side stage is to develop a corporate security policy that will contain, at a minimum:

A definition of information security with a clear argument of management's intentions

An explanation of specific security requirements including:

Compliance with legislative and contractual requirements

Security education, virus prevention and detection, and business organization continuity planning

A definition of general and specific roles and responsibilities for the various aspects of your data security program

An caption of the requirement and process for reporting suspected security incidents

The process, including roles and responsibilities, for maintaining the policy certificate

Begin past Talking About the Event

Before you even showtime to write policy, find some people and discuss what you want to attain. Talk nearly the merchandise-offs:

Could the policy exist more liberal or stricter?

Could it exist more specific or more liberal?

In that location are ii principal reasons to do this:

The aim is to get buy in from the stakeholders. Request people's opinion earlier sending them a draft allows you to make up one's mind the views of others and also to demonstrate that y'all care about their opinion and want their feedback. This gets people involved.

By discussing the policy out loud, yous begin to collate the concepts into a logical readable issue.

The Utilize of the English Linguistic communication in Policy Should Be Simple

Policy should be uncomplicated. For nigh organizations it should be targeted somewhere between 6th and 9th grade mastery of the English language language.

Overly wordy policies with impressive sounding words are ordinarily misunderstood.

Keep the linguistic communication used in writing policy Simple!

Policy Should Be Evaluated on Clarity and Conciseness

When yous are evaluating policy, assess information technology from the perspective of the consumer. In this case this is the individual who needs to read, understand, and follow the policy.

The policy but has to be clear and concise.

If users start to read something they practise not understand, they tend to continue to something else.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492669000060

Assessing Security Awareness and Knowledge of Policy

Craig Wright , in The IT Regulatory and Standards Compliance Handbook, 2008

Information Security Procedures

Procedures can be defined as a detail course or mode of action. They describe an act or style of proceedings in whatever action or process. The procedures explain the processes required in requesting USERIDs, password handling, and destruction of information. The procedures for requesting USERIDs or access changes will be conducted in the future via E-mail with easy to utilize templates that prompt the requester for all the information required. Requests can be expedited in a matter of minutes providing greater productivity for all concerned.

The Information Security Procedures can exist described as the "action manual". It contains the following sections on how to.

USERIDs Request Procedures This department outlines in detail the steps required to request admission to the system or, change access or suspend/delete admission. At that place are clear easy to follow steps with diagrams of the panels yous will run into and instructions on how to consummate the dissimilar fields. In that location are private sections on good password procedures, reporting breaches of security and how to written report them.

Personnel Security Procedures This section outlines personnel security procedures for hiring, induction, termination and other aspects of dealing with information security personnel issues.

Disposal of Sensitive Waste The disposal of sensitive waste is indeed a high contour one at the moment especially in light of contempo stories in the popular printing. It is amusing to run across what is on the back of the reused computer newspaper that comes out of the kindergarten.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597492669000084

Functional Analysis and Allocation Practice

Richard F. Schmidt , in Software Applied science, 2013

11.two.10 Identify information security procedures

Information security functions and procedures must exist identified that protect confidential or classified information. Information security is a profession that addresses a broader range of computer security and data assurance challenges. Information security represents a subset of the data security capabilities that volition be performed by the software product. Information security means protecting information and data systems from unauthorized access, employ, disclosure, disruption, modification, perusal, inspection, recording, or devastation. Software engineering involves the institution of logical controls that monitor and regulate access to sensitive (confidential or classified) information. Data security functions must exist identified and the appropriate procedures divers for:

Access control, including user account administration, identification, authentication, and potency. Access control protects data past restricting the individuals who are authorized to access sensitive information.

Information security classification, involving the identification of different data classification levels, the criteria for information to be assigned a particular level, and the required controls to govern the admission to each level of sensitive data.

Cryptography, including data encryption and decryption.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780124077683000112

Success Factors

Stephen D. Gantz , Daniel R. Philpott , in FISMA and the Risk Management Framework, 2013

Security Measurement Process

The security measurement procedure described in Special Publication 800-55 comprises two separate activities—security measure development and security measure implementation. During security measure development organisation owners and information security program managers determine relevant measures and select measures appropriate for the country of the security program or the data system. The selection of security measures considers organizational strategic goals and objectives, mission and business organization priorities, security and information resources requirements, and the operational environments in which information systems are deployed. Agencies also need to ensure that the advisable technical and functional capabilities are in identify earlier initiating security measurement, including mechanisms for information collection, analysis, and reporting. The process of developing security measures, illustrated in Effigy 5.2, kickoff identifies and defines measurement requirements so selects the fix of measures that will satisfy those requirements. Because security measurement and functioning direction are iterative processes, the type of measures implemented and the specific metrics used to mensurate performance modify over fourth dimension, as the organisation matures its security measurement practices and every bit information technology gains new information through the collection of functioning data.

Figure 5.2. Security Measurement is an Iterative Process that Aligns Organizational Goals and Objectives to Security Strategy, Policies, and Other Guidance Implemented by Organizational Information Security Programs and Evaluated Using Implementation, Effectiveness and Efficiency, and Affect Metrics [37]

The identification of security measurement needs depends in part on ensuring that the procedure includes all relevant stakeholders and represents their interests. Senior organizational leaders with management or oversight responsibleness for information security, information resources management, or adventure management are obvious candidates to participate in security measure definition, forth with mutual control providers and information system owners, program managers and business process owners, security officers, and personnel responsible for implementing or operating security controls. Stakeholder interests typically differ depending on the roles and responsibilities stakeholders have, their level within the organization structure, and the employees, users, or program beneficiaries or service consumers they correspond. Some stakeholder responsibilities may represent to needs for particular measures that provide a function—or domain-specific perspective on data security performance. The data security program should encourage stakeholder participation throughout the process of security measure development to validate the applicability of the measures selected. The type of measures selected—implementation, effectiveness and efficiency, or impact—as well typically vary by stakeholder, as senior leaders may be more interested in impact and efficiency measures while system owners and operational security personnel typically emphasize implementation and effectiveness measures [38]. Agencies identify and document information security goals and objectives and security requirements that guide security control implementation for individual information systems and for the organizational information security plan. Sources considered in this part of the procedure include agency, data applied science, and security strategic plans, performance plans, policies, laws, regulations, and associated guidance. With respect to FISMA requirements, FIPS 200 specifies minimum security requirements for information systems categorized at different impact levels [39], corresponding to required security controls selected from Special Publication 800-53. Security controls selected for implementation and documented in information arrangement security plans provide a key source of implementation measures, as system owners and information security program managers have an interest in verifying the proper implementation of selected measures to achieve adequate security protection for their information systems.

Organizational security policies and procedures often include implementation details specifying how dissimilar security controls should exist implemented based on security control and control enhancement descriptions in Special Publication 800-53 and security objectives for each command divers in Special Publication 800-53A. This guidance provides valuable input to the development of security measures and determinations of the most advisable methods to use to measure security control performance. Agencies should also identify existing metrics and sources of data potentially useful in measuring program-level or system-level security functioning, including information in system security plans, risk assessment reports, security assessment reports, plans of action and milestones, inspector general audit reports, and continuous monitoring reports. Selected information security measures may address the security performance of specific security controls, groups of related or interdependent controls, an information arrangement, or security function, service, or program spanning multiple systems. Agencies typically evolution and implement measures focused on dissimilar aspects of security and with different scope to encompass all relevant performance objectives, aggregating measures or measurement perspectives to provide and organizational view of data security performance. The prepare of measures with potential applicability security performance drivers and objectives is typically big and various. To overcome the challenges comprehensive measurement would present, agencies need to prioritize performance objectives and implemented measures to ensure that selected measures provide advisable coverage for security controls and information systems categorized at higher risk levels.

Tip

Agencies and their system owners have widely varying experience developing and implementing information security performance measures. NIST lists candidate operation measures in Special Publication 800-55 [40], providing sample measures for each security control family and indicating the blazon of measure out (implementation, effectiveness and efficiency, or impact) and whether the measures apply at the program or system level. Agencies can use these same measures as a guide to developing security measures for their own systems and data security programs to help ensure that the set of measures selected includes all types and addresses all relevant areas of operation.

Establishing performance targets is also an important element of defining and implementing information security measures. Performance targets establish a set of objectives against which agencies tin measure out success. Using initial security measurement results equally a baseline for performance, agencies tin can use initial and current measurement values and performance targets to runway progress towards achieving security objectives. Different performance targets typically apply to different types of measures—implementation measure performance targets often reflect full implementation (such as "100%" on a quantitative scale, "implemented" or "complete" on an ordinal scale) while targets for effectiveness and efficiency measures and impact measures are often stated as relative improvements sought at each measurement interval or equally the attainment of specific performance levels driven by concern objectives.

Read total affiliate

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597496414000059

Security and Privacy in LTE-based Public Safety Network

Hamidreza Ghafghazi , ... Carlisle Adams , in Wireless Public Safety Networks 2, 2016

Paging process in LTE

Another issue among security procedures of LTE arises when the network pages a UE. The paging process is as follows: there are different modes like active and idle for the UE. When the UE is in the idle style, information technology disconnects itself from the base station. Suppose the connexion should exist re-established with an idle subscriber every bit a consequence of a voice telephone call initiation. The base station broadcasts a paging message inside the user's tracking area which consists of several cells. This paging message contains a set of temporary IDs since the base station pages several users at a time. The temporary ID that is included in the paging message is the TMSI which provides pseudonymity of the UEs [TAT xiii]. Once the user hears its TMSI, it will alter its land to active and answer to the call.

Because this preceding process, suppose that an adversary is the one who initiated the telephone call and sent the request to the base station. Then, the assailant monitors the paging aqueduct to obtain the set of TMSIs that accept been paged by base station inside the user's tracking surface area. Since there are several TMSIs within a single paging bulletin, the assailant initiates the aforementioned telephone call several times. Therefore, continuing this procedure would consequence in obtaining several sets of TMSIs for the attacker. At this point, intersecting those identities could yield the TMSI of the intended user. The procedure is shown in Figure 11.5. Information technology is worth mentioning that TMSI will not be changed within sure tracking surface area and that the paging messages are not encrypted. Changing the tracking expanse by the user would pb to obtaining a new TMSI. Thus, performing the same attack enables an adversary to also track the location of the subscriber as well.

Figure eleven.v. Paging assault

Note that in commercial networks, information technology would be expensive for an attacker to perform this assault, and the outcome would simply be the temporary identity of one regular subscriber. In PSN, this regular subscriber is a first responder. Therefore, the consequences of this particular set on may be crucial.

To ensure privacy during the paging procedure, a physical layer approach is proposed in [TAT thirteen]. The authors use a function with the UE'south temporary ID every bit input and a tag every bit output. During the paging period of a subscriber, instead of transmitting TMSI, the corresponding tag would exist inserted. However, whatsoever correlation amidst the tags for unlike users should not be. An interesting point is that the transmission power of the signal needs not to be at such a level that the receiver could decode information technology. The receiver should only be able to observe the signal to exist able to ensure if she/he has been paged or not. This results in saving free energy. This scheme is also beneficial in terms of downlink bandwidth conservation. Despite the efficiencies of this approach, one drawback of it is the demand to alter the physical layer procedure that would lead to irresolute the hardware, which might exist costly.

Read total chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9781785480522500116

NGMNs, 3G, and 4G Networks

Syed 5. Ahamed , in Intelligent Networks, 2013

7.five.3 Evolved Packet Core

This CN has at least five components: the MME, the domicile subscriber server (HSS), the SGW, the PDNGW, and the PCRF gateway.

The MME handles the security procedures (user hallmark, ciphering, and integrity protection), the final/network sessions including identification and collection of idle channels. The user subscriber (ID and addressing) information and the user profile data in HSS are invoked via the S6 interface. Any radio path ciphering and integrity data specific to the user is also stored in the HSS. The SGW links the parcel data to the E-UTRAN. It serves equally an anchor node for data transfer point until the next handover. The PDNGW links the packet information to the PDN. Packet filtering and virus-infected packets are removed from the network at this gateway. Finally, the policy decision role (PDF), charging rules function (CRF) are housed in the PCRF server. Additional constraints may also be temporarily interjected by this server.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124166301000078

The FedRAMP Deject Computing Security Requirements

Matthew Metheny , in Federal Cloud Computing, 2013

Personnel Security (PS)

PS-1 Personnel Security Policy and Procedures
Command Requirement: The organization develops, disseminates, and reviews/updates at least annually:
a.

A formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management delivery, coordination amidst organizational entities, and compliance; and

b.

Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.
References:

NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook.

NIST SP 800-100, Data Security Handbook: A Guide for Managers.

PS-2 Position Categorization
Control Requirement: The organisation:
a.

Assigns a risk designation to all positions;

b.

Establishes screening criteria for individuals filling those positions; and

c.

Reviews and revises position risk designations at to the lowest degree every three years.
References:

C.F.R. 731.106(a), Designation of public trust positions and investigative requirements—Risk Designation.

PS-3 Personnel Screening
Control Requirement: The arrangement:
a.

Screens individuals prior to authorizing admission to the information arrangement; and

b.

Rescreens individuals according to the following conditions:

For national security clearances; a reinvestigation is required during the 5th year for tiptop cloak-and-dagger security clearance, the tenth year for secret security clearance, and 15th year for confidential security clearance.

For moderate gamble law enforcement and high impact public trust level, a reinvestigation is required during the 5th twelvemonth. There is no reinvestigation for other moderate take a chance positions or any low gamble positions.

References:

5 C.F.R. 731.106, Designation of public trust positions and investigative requirements.

FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems.

FIPS Publications 201, Personal Identity Verification (PIV) of Federal Employees and Contractors.

NIST SP 800-73, Interfaces for Personal Identity Verification (4 Parts)—Pt. i- Stop Point PIV Card Application Namespace, Data Model & Representation; Pt. two- PIV Card Application Carte Command Interface; Pt. 3- PIV Client Awarding Programming Interface; Pt. 4- The PIV Transitional Interfaces & Data Model Specification.

NIST SP 800-76, Biometric Data Specification for Personal Identity Verification.

NIST SP 800-78, Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV) ICD 704, Personnel Security Standards and Procedures Governing Eligibility for Admission and other Controlled Access Program Information to Sensitive Compartmented Data.

PS-4 Personnel Termination
Control Requirement: The organization, upon termination of individual employment:
a.

Terminates data organisation admission;

b.

Conducts leave interviews;

c.

Retrieves all security-related organizational information system-related property; and

d.

Retains access to organizational data and information systems formerly controlled by terminated private.
References:
PS-5 Personnel Transfer
Control Requirement: The arrangement reviews logical and physical admission authorizations to information systems/facilities when personnel are reassigned or transferred to other positions inside the arrangement and initiates JAB canonical and accepted service provider defined transfer or reassignment actions inside five days.
References:
PS-half-dozen Access Agreements
Control Requirement: The organisation:
a.

Ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access; and

b.

Reviews/updates the access agreements at least annually.
References:
PS-7 Third-Party Personnel Security
Control Requirement: The organization:
a.

Establishes personnel security requirements including security roles and responsibilities for third-political party providers;

b.

Documents personnel security requirements; and

c.

Monitors provider compliance.
References:

NIST SP 800-35, Guide to Information Applied science Security Services.

PS-8 Personnel Sanctions
Control Requirement: The organisation employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.
References:

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597497374000095

The Open System Services Subsystem

In Securing HP NonStop Servers in an Open up Systems World, 2006

AP-Communication-SETUID-01

Create procedures to review and document all requests to setuid programs.

The visitor's HP NonStop Server Security Procedures should include the following instructions for managing setuid requests for in-house programs:

i.

The request for setuid should include a total explanation of the program's purpose and a justification of the use of privileged procedures.

2.

The system managing director or a trusted programmer must review the plan'due south function.

3.

Direction must approve the setuid in writing with authorized signature(s).

4.

To ensure that the source lawmaking matches the actual object program, the system manager, not the programmer, should compile and bind the final program.

five.

The programme must be tested to ensure that it does not perform or permit any actions that would exist considered security violations. This test is usually performed by the security staff.

6.

The in a higher place document should exist maintained in a file for future reference by auditors.

7.

Requests for setuiding user programs may be allowed if the following conditions are met:

a.

The function is legitimate and necessary.

b.

The function cannot be achieved using nonprivileged programming techniques.

Secure setuid'd programs then that merely authorized users tin execute them.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781555583446500135

Security

Magnus Olsson , ... Catherine Mulligan , in EPC and 4G Packet Networks (2nd Edition), 2013

7.iii.4 Trusted and Untrusted Not-3GPP Accesses

3GPP has also defined required security procedures for UEs that connect to the EPC using a not-3GPP admission. Equally mentioned in Chapter vi, 3GPP has defined two classes of accesses, or rather ii types of procedures, for how to connect a UE to EPC via a non-3GPP access: trusted non-3GPP accesses and untrusted non-3GPP accesses. The definition of these two types of non-3GPP accesses is a mutual source of defoliation. It should, however, be noted that whether a specific non-3GPP access network is considered as trusted or untrusted is only indirectly related to the admission technology itself. It is rather the operator that decides whether it wants to treat a particular not-3GPP access network as trusted or untrusted. In a roaming scenario, it is the domicile operator that decides. This could, for example, mean that a particular non-3GPP admission network (e.chiliad. a WLAN network) is considered trusted by one operator but untrusted past another operator, even though the security properties of the network are the aforementioned for both operators. It may instead be that the operators have dissimilar preferences when it comes to how a 3GPP UE should connect to EPC via that network. Equally described in Chapter 6, connectivity solutions using IPsec tunnels are used in untrusted non-3GPP networks, while connectivity solutions for trusted non-3GPP networks, rely on the connectivity solutions native to the detail access engineering without boosted secure tunneling from the UE.

The description for when a non-3GPP access is considered equally trusted was recently updated and is described in TS 33.402 equally: "When all of the security characteristic groups provided past the non-3GPP access network are considered sufficiently secure past the domicile operator, the non-3GPP access may be identified every bit a trusted non-3GPP admission for that operator. However, this policy decision may additionally be based on reasons not related to security feature groups." The description of when to consider a not-3GPP access equally untrusted is described in the same specification as: "When i or more of the security characteristic groups provided by the non-3GPP access network are considered not sufficiently secure by the abode operator, the non-3GPP access may be identified as an untrusted not-3GPP access for that operator. However, this policy conclusion may additionally be based on reasons not related to security feature groups."

In the following sections we will look more closely at the access security in trusted and untrusted non-3GPP accesses.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123945952000074