Security in organizations

“Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't use a computer without wondering about the security vulnerabilities. They just can't help it."

 

Bruce Schneier

 

Course ID

Credits

Schedule

Lecturers

 

00153

6

First semester

Prof. dr. Eric Verheul (Lecturer)

image008.jpg

 

 

 

Christiaan Hillen (Instructor and administrative matters)

 

 

 

Guest lecturers (see below)

 

 

Description

The goal of this class is twofold. The first goal is to demonstrate a structured approach towards security in an organization, and covers the necessary standards and tools. Secondly, it aims to introduce students to the 'security mindset', and will allow to gain an understanding on what usually goes wrong and how to avoid such pitfalls in their own organization.

Information security deals with the preservation of the confidentiality, integrity and availability of information. The leading standard on information security is ISO 27001 that defines the notion of a Information Security Management System (ISMS). This is a means for the management of an organization to be in control of the information security risks. Fundamental within ISO 27001 is that information security is considered to be a ‘process’ and not a ‘product’ one can simply buy. The process allows management to ensure that others within their organization are implementing security controls that are effective.

One of the difficulties of the information security process is its multidisciplinary nature: it needs to grasp security requirements from the organization business processes (where the managers typically are not savvy on information security) and to translate them to security controls. These controls can be of various types, e.g. procedural, organizational, relating to personnel security, physical, ICT technical, cryptographic or legal. Moreover, the information security process needs to check that the operational effectiveness of the chosen controls is satisfactory and to adapt the controls (or the surrounding framework leading to the controls) if required.

Within the course the information security process is explored both from a theoretical and a practical level never losing sight of the computer science perspective. To this end the course also has several practical exercises including conducting an EDP audit. The course provides the basic information on information security required by the security officer of an organization, by IT security auditors and by IT security consultants. As information security is still a rapidly evolving topic (one might argue it is even still in its infancy) the course can also provide inspiration for further scientific research in the field.

The course closely follows the ISO27001 standard. It starts with five classes on security management in line with this standard. In essence, the organization here selects different types of security controls from Annex A of the ISO 27001 standard which are described in more detail in another standard ISO 27002. These controls are divided into eleven topics corresponding with respective chapters in the ISO 27002 standard (see table below).

ISO27002 Chapter

Title

5

Security Policy

6

Organization of Information Security

7

Asset Management

8

Human resources security

9

Physical and Environmental Security

10

Communications and Operations Management

11

Access Control

12

Information Systems Acquisition, Development and Maintenance

13

Information Security Incident Management

14

Business Continuity Management

15

Compliance

From class six onwards the course focuses on each of these topics. After a short introduction each of topics is then discussed by guest lecturers from actual organizations. These lecturers will then explain the implementation of the topic in the organization and the challenges one faces in this.

Objectives (‘leerdoelen’)

·         Learn to control information security risks within an organization in an holistic fashion (procedural, organizational and technical).

·         Getting familiar with the leading standards in this area, their shortcomings and practical implementation guidelines.

·         To learn to map policies to technical countermeasures and vice versa.

·         To learn how to write and enforce security policies.

·         To learn some basic techniques in security auditing.

·         Getting an idea of the practical aspects of information security.

Teaching Methods (‘werkvormen’)

·         32 hrs lecture (16 lectures)

·         32 hrs werkcollege

·         104 hrs zelfstudie

 

Examination

To successfully pass the exam the student has to fulfill the following two conditions:

1.      Having carried out all the assignments.

2.      An average outcome of a 6 or higher of both the assignments during the course and the written exam at the end of course. If both parts (assignments and exam) of the examination have been completed in time, the final mark will be the average of the two averages, provided the outcome of the exam is at least 5.0. If the result of the exam is lower than 5.0, the final mark will be equal to this result.

 

Detailed schedule & assignments

#

Week

Date

Topic / Literature (slides in BlackBoard)

Focus point

#Classes

Lecturer

1

36

2 September 2013

Security Management based on ISO 27001

[ISO27001], [ISO27002], [ISO27005]

[BLACK TULIP]

[CBP RICHTSNOEREN]

[Ach27001]

[GHOSTNET]

[MANDIANT]

[Wikileaks]

Chapter 1 of [Security Engineering]

Chapter 2 of [Security Engineering]

[SP800-55]

[SP800-30]

[Microsoft_Security_Intelligence_Report_14]

Introduction to IB and class

Assignment #1

 

 

 

 

 

4

Eric Verheul

2

37

9 September 2013

Security Management based on ISO 27001

Eric Verheul

3

38

16 September 2013

 Implementation of ISO 27001

Eric Verheul

4

39

23 September 2013

Conducting Risk Assignments in IB: Assignment #2

Eric Verheul

5

40

30 September 2013

5 SECURITY POLICY

Chapter 5 of [ISO27002]

Explanation of security policy and introduction to Assignment #3

1

Eric Verheul

 

 

 

6 ORGANIZATION OF INFORMATION SECURITY

Part of  Class 3.

0

Eric Verheul

 

 

 

7 ASSET MANAGEMENT

Part of  Class 3.

0

Eric Verheul

 

 

 

8. HUMAN RESOURCES SECURITY

Part of  Class 3.

0

Eric Verheul

6

41

7 October 2013

13 INFORMATION SECURITY INCIDENT MANAGEMENT

 

Chapter 13 of [ISO27002]

[800-61]

 

1

Martijn de Hamer, NCSC

7

42

14 October 2013

9 PHYSICAL AND ENVIRONMENTAL SECURITY

 

Chapter 9 of [ISO27002]

Chapter 11 of [Security Engineering]

[TOOOL]

The importance of locks in the security of organizations.

Assignment #4

1

Jos Weyers,  toool.nl

8

43

21 October 2013

10 COMMUNICATIONS AND OPERATIONS MANAGEMENT

 

Chapter 10 of [ISO27002]

[BLACK TULIP]

[ISP-BOTNET]

[ECONOMICS OF MALWARE]

 

Malware (rootkits, bot software) in the user environment and its usage, e.g. in internet banking fraud.

Assignment #5

 

DisclosureLetter you can use

 

Alternative Assignment

1

Mark Koek

Course free weeks: 28 October en 4 November 2013

9

46

11 November 2013

11 ACCESS CONTROL

 

 

Chapter 11 of [ISO27002]

[Security Engineering, Chapter 4]

[STORK]

Federated user management (e.g. DigiD, e-ID) and its usage in e-government.

1

Martijn Oostdijk

10

47

18 November 2013

12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

 

Chapter 12 of [ISO27002]

[Security Engineering, Chapter 25]

Secure programming (e.g., in a banking environment).

1

Yorick Koster, Han Sahin

Securify.nl

11

48

25 November 2013

 13 INFORMATION SECURITY INCIDENT MANAGEMENT

 

Chapter 13 of [ISO27002]

Phishing en Trojan fraud.

1

Jan Joris Vereijken, Architect ING

12

49

2 December 2013

14 BUSINESS CONTINUITY MANAGEMENT 

 

Chapter 14 of [ISO27002]

Business Continuity Management in practice

1

Alex Hoogteijling, HMC.

13

50

9 December 2013

14 BUSINESS CONTINUITY MANAGEMENT

 

Chapter 14 of [ISO27002]

[NCSC-DDOS]

DDOS attacks, resistance and mitigation

1

Roland van Rijswijk-Deij, Surfnet

13

51

16 December 2013

15 COMPLIANCE

 

Chapter 15 of [ISO27002]

[Chapter 26, Security Engineering]

[CWA 14172-3]

[KLPD]

ICT Audit

1

Eric Verheul

 

 

 

 

 

15

 

 

Reference of material used in the course

Reference

Description/Location

[Ach27001]

How to Achieve 27001 Certification, Sigurjon Thor Arnason, Keith D. Willett, Auerbach publications, 2008. Available from http://www.netbks.com/. Local copy here.

[BLACK TULIP]

Black Tulip,

Report of the investigation into the

DigiNotar Certificate Authority breach, Fox-IT, 2012.

Available from http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf.

[CBP RICHTSNOEREN]

Beveiliging van persoonsgegevens, CBP

Richtsnoeren, Februari 2013.

Available from http://www.cbpweb.nl/downloads_rs/rs_2013_richtsnoeren-beveiliging-persoonsgegevens.pdf

[CWA 14172-1]

EESSI Conformity Assignment Guidance - Part 1: General introduction, March 2004.

Available from ftp://ftp.cen.eu/CEN/Sectors/TCandWorkshops/Workshops/eSIGN_CWAs/cwa14172-01-2004-Mar.pdf

[CWA 14172-2]

EESSI Conformity Assignment Guidance - Part 2: Certification Authority services and processes,  CEN WORKSHOP AGREEMENT, March 2004.

Available from ftp://ftp.cen.eu/CEN/Sectors/TCandWorkshops/Workshops/eSIGN_CWAs/cwa14172-02-2004-Mar.pdf

[CWA 14172-3]

EESSI Conformity Assignment Guidance - Part 3: Trustworthy systems managing certificates for electronic signatures,   CEN WORKSHOP

AGREEMENT, March 2004.

Available from ftp://ftp.cen.eu/CEN/Sectors/TCandWorkshops/Workshops/eSIGN_CWAs/cwa14172-03-2004-Mar.pdf

[ECONOMICS OF MALWARE]

ECONOMICS OF MALWARE: SECURITY DECISIONS, INCENTIVES AND EXTERNALITIES,  Michel J.G. van Eeten and Johannes M. Bauer, 2008.

Available from http://www.oecd.org/dataoecd/53/17/40722462.pdf.

[GHOSTNET]

Tracking GhostNet - Investigating a Cyber EspionageNetwork, Information Warfare Monitor, March 29, 2009. Available from http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

[ISO27001]

Information technology — Security techniques — Information security management systems — Requirements, ISO, 2005, available from www.iso.org.

[ISO27002]

Information technology — Security techniques — Code of practice for information security management, ISO, 2005, available from www.iso.org.

[ISO27005]

Information technology - Security techniques - Information security risk management, ISO, 2011, available from www.iso.org.

[ISP-BOTNET]

INTERNET SERVICE PROVIDERS AND BOTNET MITIGATION

A Fact-Finding Study on the Dutch Market,  Report prepared for the Netherlands Ministry of Economic Affairs, Agriculture and Innovation,  Michel J.G. van Eeten et al., 2011.  Available from http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/01/13/internet-service-providers-and-botnet-mitigation/tud-isps-and-botnet-mitigation-in-nl-final-public-version-07jan2011.pdf

[Mandiant]

APT1- Exposing One of China’s Cyber Espionage Units, Mandiant. Available from http://intelreport.mandiant.com/.

[Microsoft_Security_Intelligence_Report_14]

Microsoft Security Intelligence Report 14, available from http://www.microsoft.com/security/sir/archive/default.aspx.

[NCSC-CYBERCRIME]

Cybercrime - Van herkenning tot aangifte, Nationaal Cyber Security Centrum, January 2012. Available from http://www.ncsc.nl.

[NCSC-DDOS]

Continuďteit van onlinediensten -

De wereld van (distributed) Denial of Service aanvallen, Nationaal Cyber Security Centrum, 8 mei 2013.

Available from http://www.ncsc.nl.

[Security Engineering]

Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson, Second Edition, John Wiley & Sons, Inc., 2001. Available from http://www.cl.cam.ac.uk/~rja14/book.html.

[SP800-55]

Measurement Guide for Information Security,  National Institute of Standards and Technology (NIST), July 2008. Available from http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf.

[SP800-30]

Guide for Conducting Risk Assignments National Institute of Standards and Technology (NIST), Revision 1, September 2012. Available from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf.

[STORK]

Towards pan-European recognition of electronic IDs (eIDs), STORK Project, March 3 2009. Available from  https://www.eid-stork.eu/index.php?option=com_processes&Itemid=&act=streamDocument&did=577

Toool

www.toool.org.