The information security function cannot be placed within protective services.

Purposes of Encryption

IPSec functions by using cryptographic techniques. The term cryptography refers to methods of making data unreadable or undecipherable by anyone except the authorized recipient in the event that the message is intercepted by someone else. IPSec uses cryptography to provide three basic services:

Authentication

Data integrity

Data confidentiality

There are times when only one or two of these services is needed, and other times when all of these services are needed. We will take a look at each of these services individually.

Head of the Class…

11.2.10 Identify data security procedures

Data security functions and procedures must be identified that protect confidential or classified information. Information security is a profession that addresses a broader range of computer security and information assurance challenges. Data security represents a subset of the information security capabilities that will be performed by the software product. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction. Software engineering involves the establishment of logical controls that monitor and regulate access to sensitive (confidential or classified) information. Information security functions must be identified and the appropriate procedures defined for:

Access control, including user account administration, identification, authentication, and authorization. Access control protects information by restricting the individuals who are authorized to access sensitive information.

Information security classification, involving the identification of different data classification levels, the criteria for data to be assigned a particular level, and the required controls to govern the access to each level of sensitive information.

Cryptography, including information encryption and decryption.

3.3.3 An Information Flow Policy for Confidentiality

We now consider a very different approach to authorization policies, in which access to resources is determined by the respective attributes of the subject and object. Much of the early research on secure computer systems was funded by the U.S. military. The prime concern of this research was to ensure the confidentiality of sensitive electronic resources. The research sought ways to mimic paper-based systems in which documents are stamped with labels such as “Confidential” and “Top Secret” and are filed securely according to their classification. A user is only allowed access to a document if his or her security clearance is as high as that of the document. In the late 1960s, the military began to fund research on implementing such an access control policy in computerized systems. Two important models from this period include the lattice-based model for information flow [7] and the Bell-LaPadula model [8].

The act of accessing an object can be regarded as initiating an information flow. In particular, reading an object causes information to flow from the object to the subject, while the flow is in the opposite direction if the subject writes to the object. An information flow policy specifies which information flows are authorized. As we might expect, an information flow policy for confidentiality requires that high-level information cannot flow to a lower level, for example, an unclassified user cannot read classified material.

In order to describe an information flow policy in formal terms, it is necessary to define a set of security labels L and a security function λ. The set of security labels is ordered, meaning that it is possible to compare two different security labels. A widely used set of security labels in military circles is {unclassified, classified, secret, top_secret}, where the ordering is defined to be unclassified < classified < secret < top_secret.

The security function λ is used to associate a security label with each subject and each object.7 The information flow policy states that information may only flow from an entity e to another entity f if λ (e) ≤ λ (f). In other words, information flow between two entities obeys the ordering on the entities' respective security labels. Hence, it is not allowed, for example, for information to flow from a top_secret source to a less secure entity. In contrast, information may always flow from an unclassified source.

When we consider different interactions between subjects and objects we derive the following rules:

A subject s is authorized to read an object o only if the security label of s is at least as high as that of o. This is sometimes referred to as the no-read-up rule or simple security property [8].

A subject s is authorized to write to an object o only if the security label of o is at least as high as that of s. This is sometimes referred to as the no-write-down rule or *-property [8].

A word of explanation is required regarding write access. It is possible that a subject with top_secret clearance may (inadvertently) run a Trojan horse program that has been installed by an attacker. Such a program might attempt to write top_secret information to a less secure file. The no-write-down rule prevents the Trojan horse program from performing this action, limiting the damage that an attacker can inflict by installing such a program. (Of course, if the attacker can obtain top_secret access, then he or she can obtain the top_secret information anyway.) Another security compromise that the no-write-down rule prevents is that of a subject mistakenly writing sensitive information to an object with a lower security level. The classic example of this is printing top_secret documents on a printer that has an unclassified security label. (A request to print a document is usually interpreted as a request to write to a printer object.)

ABAP WEB AS 7.0

System security functions that apply specifically for SAP Web AS ABAP are Trust Manager and Security Audit Log. Trust manager is the tool to use when using public-key technology with the SAP Web AS ABAP server. Use the Security Audit Log to keep track of security-related events on the SAP Web AS ABAP server. Events such as unsuccessful log-on attempts, starting of transactions or reports, or changes to user master records can be recorded and analyzed. Secure storage is part of the SAP Web Application Server ABAP and is used by SAP applications to store the passwords used for connecting to other systems. The passwords are stored encrypted. As a result they cannot be accessed by unauthorized users.

Establishing solid trust relationships is vital to the success of business processing. This becomes paramount with today's mobile knowledge worker that transcends corporate bounds and works from anyplace. Therefore, many applications in SAP Systems rely on the use of public-key technology to establish the trust infrastructure that is necessary for successful business relationships.

SAP Systems support the use of an external security product using the Secure Store and Forward (SSF) mechanism. By using SSF, applications can support the use of digital signatures and document encryption in their processing. At start-up, each SAP System is supplied with a public-key pair, which includes a public-key certificate that is stored in its own system Personal Security Environment (PSE). The SAP System can therefore produce its own digital signatures using the public-key information contained in its system PSE. Other systems can then verify the system's digital signature, which guarantees the integrity and authenticity of a document that has been digitally signed by the system. With the SAP Web AS, a single login by a user enables the system to authenticate the user through other subsystems using the digital signature provided with the log-on ticket. Lastly, The SAP Web AS supports the Secure Sockets Layer (SSL) protocol, which provides for authentication between communication partners and encrypted communications. In this case, the application server must also possess a public and private key pair to use for the SSL communications.

The Security Audit Log is designed for security and audit administrators who wish to have detailed information on what occurs in the SAP System. By activating the audit log, you keep a record of those activities you consider relevant for auditing. You can then access this information for evaluation in the form of an audit analysis report.

The SAP Web AS ABAP communicates with its communication partners using various protocols. The primary protocols used are Dialog (DIAG), RFC, and HTTP. The security mechanism for managing these protocols is either Secure Network Communication (SNC) or SSL.

Publisher Summary

The Information Security function's role is to reduce the organization's operating risk with sound information security practices in order to enable the organization to take business risks that their competitors can’t. The information security field is all about managing the risks to sensitive data and critical resources. For those who have been in this field for a long time, they need to reorient themselves to embrace the perspective that not every vulnerability needs to be “fixed.” The goal of information security should be to ensure that the confidentiality, integrity, availability, and accountability of the organization's resources are maintained at an acceptable level. Information security has a broad set of responsibilities, ranging from training and awareness to digital forensics.

Summary

The physical security function through a CSM’s physical security organization is the foundation for basic assets protection measures (Figure 21-2).To this foundation, or baseline, additional controls for protection of assets are added, creating a complete protection profile. No single physical security control can satisfy all of the assets protection needs.

Physical security is built in layers. Each layer of security control serves a specific purpose by providing specific protections. Many controls used in conjunction with each other help to create a secure environment.

Conducting a site physical security survey should enable the gathering of all information necessary to make an intelligent and informed risk assessment of the sites or facilities and create a physical security profile. From this point, additional controls can be developed and implemented to provide the most cost-effective security profile tailored to the specific needs of an enterprise.

Advanced HTTP Security

The basic security functions of HTTP described earlier are sufficient for simple client–server systems, but are hard to manage for complex multiparty interactions. In addition, the most common security transport—TLS—typically requires a comprehensive PKI rollout, especially when using user certificates for mutual authentication.

Typical applications of HTTP applications and services in social networking or cloud environments have use cases that cannot be easily address with basic HTTP authentication schemes. Furthermore, the deployment of PKI in such environments is too expensive or extremely complex: PKI implies a fairly high level of trust in the binding of the credential to a system or the user, which is hard to control in highly dynamic environments.

Based on these constraints a number of large web 2.0 or higher providers (including Google, Twitter, AOL, and others), as well as smaller companies with deep insight into the architectures of dynamic web application and REST-style HTTP services, started in 2004 developing technologies that are complementary to the “heavyweight” SOAP-centric identity management technologies. While initially focused on simple data-sharing use case with limited risk (such as SSO for blog commenting), these technologies have matured to the point where they can be used to secure commercial services and provide a simplified experience for users of social media and other web applications.

Security Communications

The successful security function will engage the eyes and ears of all employees in the protection program. To capitalize on employee involvement requires an ability to easily communicate with security staff. Ideally, the healthcare worker is provided with a single number to dial for all security-related calls. Exempla Health, a three-hospital system based in Denver uses an easy to remember acronym to contact Security: “SAFE” or the number 7233 (Figure 5-5).

Answered by a knowledgeable operator who can obtain the name of the person calling, a call back number, and the basic purpose (need) of the call, the operator should have direct communication with the security staff. In larger security departments, this could be a trained security dispatcher, or in some smaller hospitals, the responsibility could fall with the PBX operators. A growing option has been to outsource the function.

In Alberta, Canada, where the Alberta Health Services (AHS) Protective Services department provides security to all of the Province’s healthcare facilities, one off-site centralized operations center in Edmonton receives all calls for security service for all sites. This Provincial Security Control Centre (PSCC) dispatches security at AHS sites in response to alarms and calls for service.

Ideally, direct radio communication is used in each option. However, less sophisticated approaches such as cell phones, pagers and overhead announcements can be used in the security program. In each, it is critical that the caller receives acknowledgement of every call made for security services.

Public Security (Policing)

The primary public security function is to maintain accepted behaviors among the community, upholding law and regulations, and protecting a nation-state's’ general public (Zedner, 2009). Nevertheless, public security is often considered a form of security and is developed hand-in-hand with other practice areas of security. While one security practice area may have been more dominate than the other at some point in time, each rose concurrently, supporting each other and with members moving between areas. While it is considered that private security developed first, it is important to consider that security reflects society and aims to meet the needs of its society. Western views suggest that security may have first been documented in medieval England, with programs to clear the king's roads of brush to serve as a precaution against highway robbery.

As society changes, so does security, and there are extensive discussions on public security verses private security. It would be highly unlikely that nation-states would wholly replace their public security functions for wholly private security services. In the past where this has been attempted, the results have been for a short-term financial state benefit, public discourse, and contract termination (Knote, 2004). Nevertheless, both relationships and contractual partnerships have and will continue to be successful and expand. Relationships between public security and private security have been growing for many years. In the past, this has been through second-career police officers moving from one career to the other. Both public security and other security practice areas can see the benefits of such a relationship. In addition, contractual partnerships have been increasing, where private security complement and allow sworn public officers to be more effective in frontline public security functions.

Distinct differences between public security and private security are their philosophy, principles, authority, and status (Table 1.3), where public security has the obligation of egalitarian service but private security obligations are client exclusive (Knote, 2004, pp. 2–22; Sarre and Prenzler, 2011, p. 83). In other words, public security upholds the social contract, whereas private security protects one's own assets. Private security's primary function is to protect their client's people, information, and assets. Such an approach does lead to varying needs between very similar organizations, resulting with inconsistencies. In addition, the debate in regard to a profit or nonprofit approach should be considered, but this may reduce with increasing financial pressure in many public departments. Nevertheless, public security and private security have quite a different intent.

Table 1.3. Public Security versus Private Security Functions

Private SecurityFunctionPublic SecurityClientInputCitizenSelectiveServiceEqualProfit-drivenDelivery resourcingTax-fundedUndeterminedFinancePredeterminedFragmentedStructureCentralizedCitizenPowerLegislatedLimitedTrainingIntensiveLoss preventionRoleLaw enforcementProtectionOrientationOffenderSpecificTargetGeneralPrivateSpacePublicRestrictedRegulatedHeavilyWideDiscretionLimitedAsset protectionOutputEnforcementProactiveStanceReactive

Public security has many similar functions to the other practicing security domains; however, it is quite distinct. Public security reacts to an event, with the function to enforce social law. The reactive nature distinguishes public security from private security, which attempts to prepare for an event to protect one's own property.

Where in an organization should the information security function be placed?

Which of the following information security roles is accountable for the day to day operation of the information security program?

Is typically considered the top information security officer in the organization?

Is the title most commonly associated with the top information security officer in the organization?