INFORMATIO

N SECURITY
PRESENTED BY,
Ms. R.APARNA
III B.Sc [CS]
CNSS SECURITY MODEL
 CNSS Model CNSS stands for Committee on National Security
Systems (a group belonging to the National Security Agency
[NSA]).
 CNSS has developed a National Security Telecommunications
and Information Systems Security (NSTISSI) standards.
 NSTISSI standards are 4011, 4012, 4013, 4014, 4015, 4016. U
of L has met the 4011 and 4012 standards in the InfoSec
curriculum.
 CNSS Security Model Storage Processing Transmission
Confidentiality Integrity Availability Technology Education
Policy

2
The McCumbers Cube

9 CNSS Security Model The model

identifies a 3 x 3 x 3 cube with 27 cells
Security applies to each of the 27 areas .

These cells deal with people, hardware,

software, data, and procedures A hacker
uses a computer (hardware) to attack
another computer (hardware).

3
COMPONENTS OF
INFORMATION SYSTEM

SOFTWARE:
The programs/ application program used to
control and coordinate the hardware
components. It is used for analyzing and
processing of the data. These programs include
a set of instruction used for processing
information.
Software is further classified into 3 types:
 System Software
 Application Software
 Procedures
4
 COMPONENTS OF INFORMATION SYSTEM

HARDWARE DATA
The third component is data. You can think of data
Hardware represents the physical components
as a collection of non-disputable raw facts.
of an information system.
Some can be seen or touched easily, while For example, your first name, driver's license
others reside inside a device that can only be number, the city you live in, a picture of your pet, a
seen by opening up the device's case. clip of your voice, and your phone number are all
Keyboards, mice, pens, disk drives, iPads, pieces of raw data.
printers, and flash drives are all visible
You can see or hear your data, but by
examples.
themselves, they don’t give you any additional
Computer chips, motherboards, and internal
memory chips are the hardware that resides meanings beyond the data itself.
5
inside a computer case and not usually visible
from the outside.
COMPONENTS OF INFORMATION SYSTEM

PEOPLE NETWORK
 People built computers for people to use.  The components of hardware, software, and
 This means that there are many different data have long been considered the core
categories in the development and technology of information systems.
management of information systems to help  However, networking communication is
organizations to create value and improve another component of an IS that some believe
productivity. should be in its own category.
 Users: these are the people who actually use  An information system can exist without the
an IS to perform a job function or task. ability to communicate.
Examples include: a student uses a
spreadsheet or a word processing software
program.
6
BALANCING INFORMATION SECURITY AND ACCESS

 Even with best planning and

implementation, it is impossible to
obtain perfect security, that is, it is a
process, not an absolute.
 Security should be taken as balance
between the protection and
availability.
 To achieve balance, level of security
should allow reasonable access, yet
protect against threats.

7
 APPROACHES TO INFORMATION SECURITY
IMPLEMENTATION

Information security is the set of procedures to protect information from disruption, misuse, destruction, disclosure, modification, or
unauthorized access.
There are two approaches discussed as follows
Bottom-up approach
Top-down approach
BOTTOM-UP APPROACH:
The responsibility of the system administrator, cyber engineer, or network security professional does not include top-level
management positions. The main duty of such individuals is to secure the information system by using their expertise, knowledge,
education, and training to build a highly secure model.
Advantages
• An individual’s technical expertise in their field ensures that every system vulnerability is addressed and that the security
model is able to counter any potential threats possible.
Disadvantage
• Due to the lack of cooperation between senior managers and relevant directives, it is often not suitable for the requirements8
and strategies of the organisation.
 APPROACHES TO INFORMATION SECURITY
IMPLEMENTATION

TOP-UP APPROACH:
The approach is created, initiated, or implemented by top-level
management. This approach implements data security by
instruction procedures, creating an information security policy,
and following procedures. The priority and liability of project
activities are taken by top-level management. The top-level
managers take help from other professionals in the infosec system.
Advantages:
 The top-up approach is more efficient than the bottom-up
approach.
 The company’s management level is more powerful for
protecting data than an individual or team considering
company-wide priority.
9
 Each problem is unique and vulnerabilities exist in every
department or office. To resolve the problem a top-up approach
is important.
SECURITY IN THE SYSTEMS
DEVELOPMENT LIFE CYCLE

The Security System Development Life Cycle (SSDLC) is a framework used to manage the development,
maintenance, and retirement of an organization’s information security systems.
The SSDLC is a cyclical process that includes the following phases:
Planning: During this phase, the organization identifies its information security needs and develops a plan
to meet those needs. This may include identifying potential security risks and vulnerabilities, and determining
the appropriate controls to mitigate those risks.
Analysis: During this phase, the organization analyzes its information security needs in more detail and
develops a detailed security requirements specification.
Design: During this phase, the organization designs the security system to meet the requirements developed
in the previous phase. This may include selecting and configuring security controls, such as firewalls, intrusion
detection systems, and encryption.
Implementation: During this phase, the organization develops, tests, and deploys the security system.
10
Maintenance: After the security system has been deployed, it enters the maintenance phase, where it is
updated, maintained, and tweaked to meet the changing needs of the organization.
PHASES INVOLVED IN SECSDLC

SYSTEM INVESTIGATION:
The first phase,investigation,is the most important. The investigation phase begins by examining the event or plan that initiates
the process. During this phase, the objectives, constraints and scope of the project are specified.
SYSTEM ANALYSIS:
In this phase, detailed document analysis of the documents from the System Investigation phase are done. Analysis begin by
determining what the new system is excepted to do and how it will interact with existing systems. This phase ends with the
documentation of finding and update of the feasibility analysis.
LOGICAL DESIGN:
The Logical Design phase deals with the development of tools and following blueprints that are involved in various
information security policies, their applications and software. Backup and recovery policies are also drafted in order to prevent
future losses. In case of any disaster, the steps to take in business are also planned.

11
PHASES INVOLVED IN SECSDLC

PHYSICAL DESIGN:
The technical teams acquire the tools and blueprints needed for the implementation of the software and application of the
system security. During this phase, different solutions are investigated for any unforeseen issues which may be encountered in
the future. They are analyzed and written down in order to cover most of the vulnerabilities that were missed during the
analysis phase.
IMPLEMENTATION:
In the implementation phase, any needed software is created. Components are ordered, received and tested.Afterwatrd,users
are trained and supporting documents created. Once all the components are tested individually, they are installed and tested as
a system.
MAINTENANCE:
The maintenance and change phase is the longest and most expensive of the process. This phase consists of the tasks necessary
to support and modify the system for the remainder of its useful lifecycle.

12
SOFTWARE DESIGN PRINCIPLES

The main secure design principles are the following:

Economy of mechanism: Keep the design as simple and small as possible.
Fail-safe defaults: Base access decisions on permission rather than exclusion.
Complete mediation: Every access to every object must be checked for authority (there and then).
Open design: The design (and the code) should not be considered secret. The secret is always data, like a password or a
cryptographic key.
Separation of privilege: It’s always safer if it takes two parties to agree on a decision than if one can do it alone.
Least privilege: Operate with the minimal set of powers needed to get the job done.
Least common mechanism: Minimize subsystems shared between or relied upon by mutually distrusting users.
Psychological acceptability: Design security systems for ease of use for humans.
The two additional secure design principles are:
Work factor: Compare the cost of circumventing the mechanism with the resources of a potential attacker.
Compromise recording: Record that a compromise of information has occurred. 13
The NIST Approach to Securing the SDLC

Some of the benefits of integrating security into the system development life cycle include:

 Early identification and mitigation of security vulnerabilities and problems with the configuration of systems, resulting in
lower costs to implement security controls and mitigation of vulnerabilities;
 Awareness of potential engineering challenges caused by mandatory security controls;
 Identification of shared security services and reuse of security strategies and tools that will reduce development costs and
improve the system’s security posture through the application of proven methods and techniques;
 Facilitation of informed executive decision making through the application of a comprehensive risk management process in
a timely manner;

14
The NIST Approach to Securing the SDLC

Initiation Phase. During the initiation phase, the organization establishes the need for a system and documents its purpose.
Security planning should begin in the initiation phase with the identification of key security roles to be carried out in the
development of the system. The information to be processed, transmitted, or stored is evaluated for security requirements, and
all stakeholders should have a common understanding of the security considerations. The Information System Security Officer
(ISSO) should be identified as well.
Development/Acquisition Phase. During this phase, the system is designed, purchased, programmed, developed, or otherwise
constructed. A key security activity in this phase is conducting a risk assessment and using the results to supplement the
baseline security controls. In addition, the organization should analyze security requirements; perform functional and security
testing; prepare initial documents for system certification and accreditation; and design the security architecture.
Implementation Phase. In the implementation phase, the organization configures and enables system security features, tests
the functionality of these features, installs or implements the system, and obtains a formal authorization to operate the system.
Design reviews and system tests should be performed before placing the system into operation to ensure that it meets all
required security specifications.

15
The NIST Approach to Securing the SDLC

Operations/Maintenance Phase. In this phase, systems and products are in place and operating, enhancements and/or
modifications to the system are developed and tested, and hardware and software components are added or replaced. The
organization should continuously monitor performance of the system to ensure that it is consistent with pre-established user
and security requirements, and that needed system modifications are incorporated.
Disposal Phase. In this phase, plans are developed for discarding system information, hardware, and software and making the
transition to a new system. The information, hardware, and software may be moved to another system, archived, discarded, or
destroyed. If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive data. When
archiving information, organizations should consider the need for and the methods for future retrieval.

16
THANK YOU!