Chapter 1 Security and Risk Management

Confidentiality
supports the principle of least privilege – it provides only authorized people, process or systems access to information on a need to know basis. To ensure confidentiality of information is done through data classification. One way to maintain confidentiality is to encrypt information.
Integrity
trustworthiness – information should be protected from intentional unauthorized or accidental changes. Controls are put in place to make sure that info is changed through accepted practices.
Availability
makes sure info is available and users when you need it
2 threats to availability are:
– 1) DOS
– Loss of service due to disaster to include capacity planning, system crash, outdated hardware, poor testing in system crash after upgrade or natural disaster.
Security Governance
-The purpose of governance is to make sure the right security activities are being performed to ensure the risks are appropriately reduced and investments are directed so management has an understanding of the program and is asking the right questions to make sure the program is working the way it is supposed to.
Sr. management
final decision on level of security expenditures and risk
Sec mgt makes sure
sure that risks are identified and an adequate control environment is used to manage the risks.

Assess risk and find needs, then monitor and evaluate, promote awareness, implement policies and controls and all of this is centered around central management

Risk mgt
give you a way to keep executive informed on risks and make informed decisions by using avoidance, transfer, mitigation, acceptance.
Risk Management Framework
Strategic = risks that are a part of the buss environment and have an effect on buss objectives and performance

– Organization = part of one’s environment, to include people, culture, structure, values

– Technology = use of systems and technology with availability, capacity, integrity, support, functions, and integration and change management

– Legal /Regulatory = contracts, interpretation of laws, compliance and regulation

Organizational processes
must understand the mission of the organization
acquisitions and mergers
new data types; new technology; new staff and new roles; threats from former employees, possible threats new group may face; vulnerabilities when systems are merged; new policies and standards to support compliance with laws, regulations; external business partners
divestures and spinoffs
could cause data loss or leaks; system interconnections, protocols and ports left open after a function they were using is no longer applicable; loss of visibility into the network and system logs; new threats from employees forced out of an organization; revise standards, policies, procedures; data segregation deadlines
Governance Committees
has to recruit and maintain the board for an Organization
– makes sure the committee understands the importance of info sec and risk management
Committee recruitment exercises for new board members
– requirements for info security and risk aptitude
Sec roles responsibilities
ISSO/CISO should report to the CIO or the individual responsible for the information technology activities of an organization
Resp of ISSO
ISSO is to ensure the protection of all the buss information assets, loss, disclosure, alteration, destruction and unavailability. The ISSO is the facilitator of information security for the organization.
Organizational processes
Bus don’t stay the same; things change from day to day; must be able to adapt and adjust to meet the needs of the company
SO must be sure to inform
C-levels what the real biz needs and facts are clearly represented. It is the executive management of an organization responsible for info security. Presentation should be at a high level to understand the technical safeguards and not too detailed.
Reporting model
the SO and info sec should report as high in the organization as possible to:- maintain visibility of the importance of info sec
– limit inaccurate translation of message that can occur due to hierarchical deep organizations.
– should have good working relationships with bus exec mgt, middle and end-users
Reporting to the CEO – reduces filtering of messages if it has to pass through several layers
Policies
must align with what the business does
SO and team are responsible
to make sure that security policy, procedure, baseline, standards and guidelines are written to address the info security needs of the company. Policies should be written with input from legal, hr, it, compliance, physical and buss units that must implement the policies.
Policy types
Sr. management – high level mgt statement of sec objs, organ, individual responsibilities, ethic and beliefs and general reqmts and controls

Regulatory – detailed and concise policies mandated by federal state, industry or other legal requirements

Advisory – not mandatory but recommended has penalties or consequences for non compliances; most policies fall in this category

Informative – only informs with no explicit requirements for compliance

Info system sec role
draft security policies, standards and supporting guidelines, procedures and baselines. They are to provide guidance on technical security issues and emerging threats and starting new policies.
Executive management
maintains the overall responsibility for protecting information assets of the company.
end users
end of the line – are the eyes and ears to report security incidents and unusual behavior to the right people.
Data custodian
maintains our systems takes care of the info on behalf of the owner. They make sure the data is backed up in case it is lost
Info systems auditor
makes sure systems are in compliance with policy procedures standards, baselines, management direction and architecture.
Buss continuity plans
**Initiation and management first steps:
How do I keep my biz in biz
develop contingency plans to prepare for any time something may impact the company goals negatively
DRP
How do I fix what is broken
Physical security
manage the install, maintenance and continuous operation and assist in investigations.
Network administrator
configures network and server hardware and os. Use patch mgt and software distribution methods to install updates and test patches.
Info systems auditor
makes sure systems are in compliance with policy procedures standards, baselines, management direction and architecture.
External roles
Vendors, suppliers, contractors, temp employees, customers, buss partners, outsourced relationships should follow our security policies
Control frameworks
To make sure ISSO do what we are supposed to be doing

there to aid in security and privacy requirement are met;

Framework should be
consistent – governance program in how info and security and privacy is approached and used.

Measurable – program must provide a way to set and see goals.

Modular – framework won’t work for everybody all times

Standardized – a control framework should rely on standardization so results can be compared;

Extensible – flexible

Comprehensive – framework should cover the minimum legal and regulatory requirements of an organization;
modular – withstand changes of an organization.
COSO – banking to eliminate fraud;
iso 27000 – series of docs started with iso17799 and then to 270002 – Best Practices how to’s; 27001 – is obtainable certification put all best practice into practice then certified. Information Security Management System is a mgt process

cobit – how to do security for everything/auditing
itil – service framework and SLAs

Due care
Are you doing what you’re supposed to be doing to protect the company? Are you following the guideline/policy/control….

** care that a reasonable person would give under circumstances; caring is correcting**

what an individual’s or legal duty is.

If an organization is mandated to comply with regulations then knowingly or not knowingly neglect those requirement could lead to legal exposure from a due care perspective.

Due diligence
Put something in place and is made to stop harm to other persons or their property. It is the enforcement of due care.
vulnerability, pen test, audits,
background checks, credit checks, info system sec assessment, risk assessment, penetration tests, contingency test and back up, threat intelligence

This should be incorporated by sec prof as core tenant of their career. Examples are: background checks, credit checks, info system sec assessment, risk assessment, penetration tests, contingency test and back up, threat intelligence

**About detection** monitoring, auditing

Legislative and regulatory compliance
must be understood by the people who work in those countries and the industries they are in.Laws and regulations must be met for a safe harbor provision which is a good faith conditions that if met may temporarily or indefinitely protect the organization from the penalties of a new law or regulation.

**Identify the requirement and comply with that

PCI Data Security Standards
all entities must hold process or transfer credit card and cardholder info to these standards
Privacy and data protection legislation
Federal Privacy Act
Health Insurance Portability and Accountability Act (HIPAA) for health related PII
Gramm LeachBliley Act for economics credit related
Health Information Technology for Economic and Clinical Health Act (HITECH)
Computer/Cyber Crime
any criminal activity in which computer systems or networks are used as tools that violates the law or a regulation.
Categories of crimes and motivations behind them:
Business, fun, disgruntled, corporate espionage terrorism, financial
cyber terrorism
Destroy, steal government secrets, financial attacks,
impact of cyber crime
loss of intellectual property and sensitive data; opportunity costs;
damage to the brand image and company reputation;
penalties and compensatory payment to customers;
cost of countermeasures and;
cost of mitigation strategies and recovery from cyber-attacks.
Federal Risk and Authorization Management Program (FedRAMP)
government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Intellectual property laws
laws are there to protect both tangible and intangible items.
Patent
are to protect novel, useful and nonobvious invents and it is one of the most significant forms of intellectual property protection available Allows one to have the sole ability to own an invention for 20 years; published in public domain ** Public**
trademark
protects the good will that merchants or vendors invest in the recognition of their products….gives the owner of the markings exclusive rights over the item this is the protection of markings that are used to identify vendors or a merchant products and goods

A trademark could be a word, name, symbol, color, sound product shape device or a combination of them to create a unique identifier of a product and distinguish it from others.

Registrations granted on or after November 16, 1989 have a 10-year term

Copyright
protects artistic property and that would be books, music databases, computer programs. It is not as strong as a patent protection. But it lasts longer at least 50 years after a person dies or the 70 years under the copyright protection.

The term of copyright protection of a work made for hire is 95 years from the date of publication or 120 years from the date of creation, whichever expires first. (A work not made for hire is ordinarily protected by copyright for the life of the author plus 70 years.)

trade secrets
Refer to how a buss or technical information or practice works

A trade secret is not information that is generally known and it must provide a value to the business. Trade secrets can be protected forever and these are known as the reasons for industrial and espionage cases.

Licensing & different models
software licenses have become easily stolen. There are different ways software can be licensed and that consists of freeware, shareware, commercial and academic.
Licensing agreement types
With these different types, there are a variety of agreements that includes master, end user licensing (eulas)

There is also license metering software that an enforce compliance to software agreements.

Import/Export Controls
International Traffic in Arms Regulations (ITAR) -what is a defense item and what can be done
created to control any illegal transfer of info, or defense items technology, products that involve the military that are based not in the us.

Export Administration regulations allowed the prez to regulate export of civilian goods and technologies that are military based; data and know how

trans border data flow
allows consumers access to the best resources in technology around the world. moving data between country borders from server to servers
– ways to identify people and fight terrorism; fraud and deliver services
– companies and govt are outsourcing to cut down on cost and increase efficiencies
RFID
radio frequency identification chips,causes concern about data going to other countries with no data protection legislation
PII
personal identifiable information
oecd
organization for economic cooperation organization for economic cooperation and development; has categorized principles used to collect limited data, quality purpose and safeguards, openness participation and accountability.
privacy
rights and obligations of people who collect use retain or disclose personal information.
Data breaches
the form of an incident that could result in the exposure of data;

breach is an incident that results in the disclosure or potential exposure of data and data disclosure is a breach that shows data was disclosed to someone not authorized.

VERIS
Vocabulary for Event Recording and Incident Sharing ) is made to have a common language for describing security incidents in a structured and repeatable way
Gramm Leach Biley Act GLBA and Health Insurance Portability and Accountability Act
two forms of how consumer data is regulated by federal and state laws
Code of ethics Preamble
***should adhere to the highest code of ethics
– Protect society commonwealth and infrastructure – people
– act honorably honestly justly responsibly and legal – honor
– provide diligent service to boss – boss
– advance protect the profession – profession
Code of ethics canons:
protect society, the commonwealth and infrastructure

preserve public trust and confidence in information systems

understand and accept good security practices

preserve and make stronger the integrity of public infrastructure

don’t use unsafe practices
Act Honorably, Honestly, Justly, Responsibly and Legally

tell the truth

acknowledge all contracts, agreements (formal and informal)- treat everyone fairly in resolving conflicts and public safety; duties to principles, individuals and professions

give advice with out bring in uncalled for stress or discomfort. Be honest, open cautious and know your competency level.

different laws apply in different jurisdictions, make sure you apply the law to where you are

Diligent and Competent Service to Principals
– maintain the value of the systems, apps and information
– all respect the trust and privileges that you have
– stay away from conflicts of interest or if it looks like it
– only do what you can and are qualified to do

Advance and Protect the Profession
– sponsor for those who are certified and abide by these canons
– don’t tarnish the reputation of others through malice or indifference
– maintain your qualifications though skills, knowledge; give your time to helping others.

Support Organization Code of Ethics
develop a guide to computer ethics for unit

develop a ethic policy to support computer security policy

add info about computer ethic to employee handbook

expand the business ethic policy and include computer ethics

learn more about Ethics and spread the word

help bring awareness of computer ethics by being a part of a campaign

know your email privacy policy and be sure employees know what it is

Policy
** Management goals and objectives**

Document that defines the scope of security needed by the company and discuss the assets that need protection and the extent to which security solutions should go to provide the necessary protection.

Overview or generalization of the organization needs as to what we need to protect our assets; security objectives and framework of the company.

standards
are specific mandatory requirements that further define and support higher level policies
baselines
are a consistent basis for an organization sec architecture taking into account system specific parms ie os,
guidelines
don’t have to be followed and a are recommendations not requirements
procedures
detailed instructions on how to implement specific policies and meet the criter defined in standards.
Business continuity plan
**My biz is still working ** Analyze biz, assess risk, develop strategy develop plan and rehearse plan;. How do we get back into buz and maintain our standards and meet our customer needs. Should have policies procedures and documents; a database of resources to call
Financial risks formula
P * M = C
Probability * Magnitude = Cost
Probability of Harm – chance that a damaging event will occur; magnitude of harm = amount of damage that would occur is a disaster should happen; cost of prevention – price of putting in place a countermeasure preventing the disaster’s effects
**Risk Assessment
**Analyze biz, assess risk, develop strategy develop plan and rehearse plan
Accept the risk – do nothing
Accept risk with an arrangement after the incident
Attempt to reduce the risk to not need outside help
***
Risk avoidance practice of coming up with alternatives
risk transference – passing on the risk in question
risk mitigation – decrease in the level of resk presented through control
risk acceptance – practice of accepting certain risk based on biz decision
BIA
***
helps a company to decide what needs to be recovered and how quickly; mission functions are from critical, essential, supporting and nonessential staff; impacts that might damage an orgs reputation, assets or financial position timescale on interruption of each buss by activity workshops, questionnaires interviews, observation – should tell us how long can a unit not do its work without it having serious financial losses; potential loss scenarios
manage personnel security
security pro might have to develop job desc contact reference investigate the
background checks are beneficial as to help with risk mitigation, most qualified candidate is hired; lower hiring cost; less turnover; protection of assets; criminal activity.
Background checks could include
types of checks include credit history;criminal history – harder to get these records; fair credit reporting act says that an applicant earns more than 75K can see their entire history.

drug and substance testing – can result in absenteeism, accidents, turnover violence and computer crimes.

prior employment – very employment info i.e., dates, title, performance and reason for leaving

Job rotation
reduces the risk of fraud, collusion between individuals, gives back up coverage, succession planning, job enrichment opportunities
Separation of Duties (SOD)
one person should not have ability to modify delete or add data to a system. Separation reduces the chances of errors or fraud;

same person should not do the same job: system admin; network, data entry, computer operations, security admin, develop and maintenance, auditing, is mgt change management;

if there are not enough people then might have to rely on a compensating control i.e., monitoring or supervisor ; employees in the info system should not be allowed to enter data into a business system;

Least privilege
Is a need to know – granting access to only when you need to perform your job.

This is known as a preventive or deterrent control as user knows that info is logged and detection can tell how info was modified after the fact.

Mandatory vacation
help to identify fraudulent activities
Friendly/unfriendly termination
Exit interview; nda; access badges, token and cards

Disable accounts immediately/escort from building

**Risk
**Risk is the function of a likelihood(probability) of a given threat source exercising a potential vulnerability and resulting impact of an adverse event on an organization.

Somebody doing something to cause you problems.

is the possibility of loss.

risk management is the way you assess minimize and prevent accidental loss to a business through insurance safety.

Steps to risk assessment
Prepare, conduct, identify threat source and events, identify vulnerabilities, determine likelihood of occurrence, determine magnitude of impact, determine risk then

Communicate results, maintain assessment. An exhibit can be used to provide an audit trail for the company or evidence for internal or external auditors may have about the current state of risk. You have to know what you are protecting.

Privacy and monitoring
Notifying or being conspicuous about monitoring can be good.
Threat source
Is the somebody
vulnerability is the weakness doing something to

either intent of method at the intentional exploitation of a vulnerability or situation, method that may accidentally trigger a vulnerability

What is doing the bad thing

human, natural, technical physical, environmental operational

Likelihood
probability that a potential vulnerability may be exercised within the construct of an threat environment

Weakness being exploited inside of the company

Threat
potential for a threat source to exercise a specific vulnerability

To take advantage of your weakness which is a vulnerability and it has an impact on the company

vulnerability
a flaw or weakness in system sec procedure, implementation, internal controls that could be exercised and result in a security breach or a violation of the system sec policy
Impact
magnitude of harm that could be cause by a threat exercise of vulnerability
Asset
anything of value owned by a company both tangible and intangible
Safeguard
countermeasure that remove or reduce a vulnerability or protect from one or more threat, patch, config change hiring security guard, improve sec policy, train personnel etc

something put in place to minimize a threat

Attack
an exploitation of vulnerability by a threat. Intentional attempt to exploit a vulnerability to cause damage loss or disclosure of assets Violation to adhere to a security policy. Something or somebody taking advantage of a weakness that we have. Port scan is a type of attack; find a vulnerability can take advantage of them.
Breach
the occurrence of a security mechanism being bypassed by a threat agent; when a breach is combined with an attack, penetration or intrusion can result. Threat agent gained access to a company by bypass security control and directly imperil assets. Get to the data and get to the system and underlying data. Taking of information.

Threats are successful at penetrating in then it is a breach.

mean time between failure
Measure of anticipated incidence of failure for a system or component = reliability
Mean time to failures
avg time to failure for a non repairable system
Mean Time to Restore MTTR
how long it takes to repair a system or component once it fails – found in SLAs
Recovery Time objective
maximum tolerable downtime is the amount of time the unit can function without the application before it causes big impacts.

Max downtime acceptable.

Recovery Point Objective
point to which a crashed or failed system needs to be restored.

When do we go back before the crash to get our data

risk mgt process
risk management is the way you assess minimize and prevent accidental loss to a business through insurance safety.
quantitative method
results in percentages that means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasure and value of safeguard. Figures for level of risk.

Act of assigning a quantity to risk

qualitative risk
assessment provide results that are used risk assessment in a descriptive way.

These happen when: risk assessors have little expertise in quantitative risk assessment; time is short; easier to do; not a lot of data to help with the risk assessment; assessor and team are long time employees with a lot of experience with the bus and systems. The higher the risk level the more immediate the need for org to assist on an issue and make sure it is protected

exposure factor
The percentage of loss that a company would have if a specific asset were violated by a realized risk; how long it is exposed.
SLE
Single Loss Expectancy =difference between the original value and the remaining value of an asset after a single exploit.

is the cost associated with a single realized risk against a specific asset The exact amount of loss
Asset Value * Exposure Factor
AV * EF

Annualized Loss Expectancy
is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year; how many times it will happen in a given year.

Annualized Loss Expectancy = Single Loss Expectancy * Annualized Rate Occurrence.

Known as probability determination.

risk avoidance
is coming up with alternatives so that the risk does not come to pass.
risk transfer
passing on the risk to someone else
risk mitigation
is getting rid of or reducing the risk i.e, firewalls, ids/ips risk acceptance – accept the risk from certain scenarios.
containment
when an exposure is exploited from important assets
deterrent
discourage people from breaking the directive; just because the control exists it keeps bad guys out; it is harder to get around the control than the reward for being successful. Warning messages during logon; multifactor authentication will reduce system compromises.
risk acceptance
countermeasure in the form of
accountability; auditability source known, independence, consistently, cost effective, reliable, independence, easy to use, automation, sustainable, secure, protects cia, back out if issue,
security architect
thinks about business issues and how to design a strong architecture
security practitioner
thinks about time and tools; and how to deploy a strong architecture
security professional
thinks about how will i manage the enterprise;metrics
preventative controls
used to stop unwanted or unauthorized activity from occurring…fences, locks, biometrics, mantraps, job rotation, data class, pen test, encryption, auditing, cctv, callback procedure, security awareness, intrusion preventative
personnel security,
detective
Got through the preventative now we must remedy a situation, reduce damage or bring back controls; discover the activity after it has occurred; motion detector, honey pots, ids, ips, incident investigation; go back after the fact and get information about what happened.

if deterrent, preventative and cc don’t thwart an attack and these warn when something has happened

corrective controls
that get to change the posture of an environment to fix deficiencies and take the environment back to a secure state. could be a quick fix like new firewall rule router access; antivirus
deterrent access controls
discourage people from breaking the directive; just because the control exists it keeps bad guys out; it is harder to get around the control than the reward for being successful

fence, lock, banner, security cameras

Directive controls
rules of behavior in a company also known as administrative give guidance as to what the behavior is expected. They can be combined into a single acceptable use policy. AUP = signed at the time of security awareness training.
recovery controls
restore conditions to normal after an incident. Fault tolerance, system imaging,, server clustering, virtual machine shadowing
compensating ac
Used in addition to or in place of another control…- can be technical, procedural or manual instead of ssl could use an encryption protocol; separation of duties; can be a temporary solution to put in a short term change. If current capabilities dont support a policy then it is a cc; transfer of pii in encrypted form; protect data in transist instead of data at rest being encrypted
administrative controls
Management controls policies processes and management of an access control system.- when changes to an environment happen it must be documented , approved, tested, applied verified, deployed. The architect, practitioner, professional are all involved in the bcp/drp that are used in a disaster recove
logical controls
hardware or software used to manage controls ie.passwords, smart card, biometric, clipping
network – used to restrict communication and restrict those who connect ot it and use that infrasturcutre. a proxy system could control web access voa jtt[/ firewall could block ports, a proxy could also block http session. network access control give restrict access based on a policy defined by the system admin
remote – vpn is a popular solution for remote acces
physical controls
prevent monitor or detect direct access with systems within the facility
control assessment
verify the implementers and operators of info syst meet the goals and objs; how effective are our security controls used to implement a system
controls measured by
vulnerability scan and penetration testing
– Vulnerability Also known as ethical hacking, tiger teaming, red teaming and vulnerability testing. It

Penetration testing – is the next step in vulenrability scans

audits – try tailgating someone in the door; pretend to be tech support

tangible asset valuation
touch it; have a physical presence trademarks, patents, copyrights, buss process, brand recognition, intellectual property; Also intangible are known as definite or indefinite: could be a intangible asset with a definite expiration period. Example is a patent has value as long as it is enforceable. when the patent goes, no more value.
Intangible asset valuation
your morale, reputation, brand. customer satisfaction
reporting
needs to go up the chain as high as it can goes; iso should explain technical terms in every day language
deming cycle
pdca – plan do check act
Risk mgt frameworks
aligning risk appetite and strategy – mgt says what the risk appetite is to evaluate strategic alternatives; enahnce risk response decision – how to select the right choice between avoidance reduction sharing and acceptance
ISO/IEC 27002
Guideline and best practice Example of a framework Is a code of practice for information sec mgt…best practices frame for implementing and managing an info sec program used the International Org for Standardization and International Electrotechnical commission
ISO/IEC 27001
Standard to give a more detailed implementation guidance or practitioner and defines the requirments for formal spec of an infor sec mgt system
Threat model
procedure for optimizing network / apps/ internet security by identify objectives and vulnerabilities and define countermeasure to prevent or mitigate the effects
Threat
potential or actual undesirable event that may be malicious ie dos or incidental
Assessment scope
identify what your assets are
possible attacks
who are the people that might attack an application; understand existing countermeasures; inside, outside, accident and malicious attacks.

include any and all exsisting countermeasure deployed

prioritized risk
each threat you give a number of likelihood and impact factor to know the overall risk or severity level;
identify countermeasure
to reduce threat – how to reduce the risk to an acceptable level.
potential attacks
baiting – getting to give you informatin attacker leaves a malware infected cd rom or flash drive in a location and wait for you to use the device.

tailgating – following behind someone

phishing -phishing attack – type of social engineering where it use email or malicious website to get personal info by posing as a trustworthy group., social engineering

reduction analysis
avoid being a victim and reduce security risks
remediate threats
policies, ids, ips, firewaals, encryption, security protocols,ssl/tls
acquisition
hardware software, need to have redundancy
Manage third party governance
three types IaaS, PaaS and SaaS;
Minimum sec requirements
up to the organization; make a list of what is required and then tie them together
Service Level Requirements
has the requirements for a service from the client viewpoint. and gets made into a SLA
Starting point in awareness training
using security policies
p2p/peer to peer
can transmit virus and malware
Internet Activities Board (IAB) – RFC 1087
is a statement of policy in 1989 that says ethics and proper use of resource on the net.
SET
Secure Electronic Transactions (SET)
by visa and mc for secure offline debit card transactions
PGP
Pretty Good Privacy – public keys with email function and data encryption by phil zimmerman
sanitized
media is erased or cleared /process of preparing media so that classfied data cannot be recovered before during and after final destruction
purging
making the information unrecoverable
degausing
magnetic scrambling of patterns on a tape or disk
Wassenaar Agreement
International agreement with Dual used good either civilian or military purposes;