Question

1. An explanation of the McCumber's Cube model and how the elements of this framework interact
2. A discussion the role that the McCumber's Cube Framework plays in helping organizations form suitable policy
3. A discussion of how these cases illustrate a failure to implement the framework effectively
4. A discussion of the role management plays in information security as demonstrated by the Principles of Information Security *
5. Identify Principles of Information Security that seemed to be ignored (this may be a couple, many, or all)

Answer 1

The Cybersecurity Cube (also called the McCumber Cube) is a tool developed by John McCumber, one of the early cybersecurity experts, in order to help manage the protection of networks, domains, and the Internet. The Cybersecurity Cube has three dimensions and looks somewhat like a Rubik’s Cube.

The first dimension of the Cybersecurity Cube includes the three principles of information security. The second dimension identifies the three states of information or data. The third dimension of the cube identifies the expertise required to provide protection. These are often called the three categories of cybersecurity safeguards.

How McCumber Cube can be used to form best maintenance policies

a. Failure-based maintenance (FBM) - a reactive policy to be carried out after a breakdown,

b. Time/use-based maintenance (TBM/UBM) - a preventive policy to be activated at pre-specified

time intervals.

c. Condition-based maintenance (CBM) - a predictive policy that becomes active when some

system parameters reach the predetermined values,

d. Opportunity-based maintenance (OBM) - one that is carried out only after some specific

situation arises; thus, it is considered to be a passive policy,

e. Design-out maintenance (DOM) - a policy whose primary premise is on the design for ease

(or even elimination) of maintenance.

The McCumber Cube Technique:

John McCumber developed the McCumber cube as a way to model risk management. This model provides the security practitioner with a means to graphically evaluate and manage risk for a system. Viewing the cube from different angles provides a security practitioner with a way to consider risk from different perspectives. The three primary aspects of the cube involve Information state (storage, processing, transmission), countermeasures (technology, policy, people), and security services (confidentiality, integrity, availability). The McCumber cube can be used by selecting a desired security service and considering what countermeasures must be implemented to protect the affected information states. Reducing the scope of the view of the McCumber cube could enhance risk-based decisions for the countermeasures needed to protect against specific attacks. An attack vector is a particular technique exploiting a system weakness; information state is what that needs to be protected, and countermeasures are those that can be implemented to defend the network. An analysis of these dimensions together results in the desired security goal.

Information Security Management:

Information security management is the process of carrying out various activities that facilitate the preservation of an organization's business information assets. Information security management involves implementing security measures that exemplify the instructions of an organization's security policy, various security procedures and other security programs. It is a continuous process, requiring constant review and adjustment in order to keep up with the latest technology developments and their associated risks and to further ensure that the organizations information security goals and objectives remain fulfilled to the fullest extent. It is essential to differentiate between information security management and information security governance, in order to highlight why each of these functions are so important in terms of securing business information assets.

PROCESS:

Information security management begins with clear direction. Additionally, the issuing of a corporate information security policy helps to express the commitment of the organization toward protecting the confidentiality, integrity and availability of business information. Hereafter a series of activities that aim to realize this commitment commence. Some of these activities include an initial assessment of various potential risks to information which is then followed by some form of risk management strategy. This enables an organization to identify and implement an assortment of physical, technical and operational security controls.

However, in order to effectively enforce accountability and responsibility for information security throughout an organization, various individuals need to fully understand the roles they play in this regard.

The Role of the Board of Directors:

The primary role of the board is to oversee the interests of the shareholders by effectively directing and controlling an organization and ensuring that all resources are appropriately utilized. The board must support the establishment and implementation of a robust information security program by setting the information security direction and communicating this through the corporate information security policy. The board must also receive management reports on the utility and effectiveness of their security program. This enables the board to ensure that their organization's security efforts remain on track.

The Role of Board Committees:

Board committees facilitate the board in carrying out their duties efficiently and show that the board's responsibilities are being appropriately accomplished. There are several board committees that can assist the board with their responsibility for information security - the IT oversight committee; secondly, the audit committee and lastly, the risk management committee. The information provided to the board by these various board committees, regarding the effectiveness of current security efforts further facilitates the board in the review of the organization's security policy.

AN INFORMATION SECURITY RESPONSIBILITY FRAMEWORK:

The management side of information security involves actions by non executive management and the CIO in order to address the implementation issues of information security from an infrastructure and best practice point of view. It is important to note that the CIO plays a major role in the entire information security function, as this individual has contributions to make in terms of both the governance and the management of information security. In the context of information security management, the CIO works closely with the CISO to develop strategies for information security that would involve activities such as risk management, risk monitoring, reporting and so forth. The business unit leaders, or department heads, are also responsible for ensuring that all employees are trained in security awareness and comply with information security policies, practices and procedures so that they act responsibly with regard to the organization's information assets.

The development of an information security responsibility framework helps to show that both governance and management support are essential constituents of a comprehensive information security function. Both governance and management support enables an organization to satisfy the full spectrum of information security risks by addressing all information security requirements.