CISSP Domain 3: Information Security Governance and Risk Management

CIA Triad
Confidentiality
Integrity
Availability
Availability
Ensures reliability and timely access to data and resources to authorized individuals.

Ways to provide:
-RAID
-Clustering
-Load Balancing
-Redundant data and power lines
-Software and data backups
-Disk shadowing
-Co-location and off-site facilities
-Roll-back functions
-Fail-over configs

Integrity
Upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented.

Ways to provide:
-Hashing (data integrity)
-Config Mgmt (system integrity)
-Change Control (process integrity)
-Access controls (physical and technical)
-Software digital signing
-Transmission CRC functions

Confidentiality
Ensures that the necessary level of secrecy is enforced at each juncture of data processing and prevents unauthorized disclosure.

Level of confidentiality should persist with data at rest, devices within network, data in flight, and once data reaches its destination.

Can be provided by:
-encrypting data at rest (whole disk, database encryption)
-encrypt data in transit (IPSec, SSL, PPTP, SSH)
-strict access control and data classification (physical and technical)
-training personnel

Social Engineering
When one person tries to trick another into sharing confidential information (such as posing as a person who already is authorized to have access to information).
Asset
Valuable resources you are trying to protect:

-data
-systems
-people
-buildings
-property

Vulnerability
Lack of a countermeasure or a weakness in a countermeasure that is in place.

Weakness in:
-software
-hardware
-procedural
-human

Basically, a weakness that allows a threat to cause harm.

Threat
Any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone or something will identify a specific vulnerability and use it against the company or individual.

Anything that potentially can cause harm to an asset.

Threat Agent
The entity that takes advantage of a vulnerability.
Risk
The likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.

Risk ties the vulnerability, threat, and likelihood of an exploitation to the resulting business impact.

RISK = THREAT x VULNERABILITY

Impact
The severity of the damage, sometimes expressed as dollars.

RISK = THREAT x VULNERABILITY x IMPACT (COST)

Risk Analysis Matrix
Risk Analysis Matrix
Uses a quadrant to map likelihood of a risk occurring against a consequence (or impact) the risk would have.
Exposure
An instance of being exposed to loss.
Calculate value of intangible asset
According to Deloitte…

1. Market Approach: Assumes that the fair value of an asset reflects the price which comparable assets have been purchased in transactions under similar situations.

2. Income Approach: Based on premise that the value of a security or asset is the present value of the future earning capacity that an asset will generate over its useful life.

3. Cost Approach: Estimates the fair value of the asset by reference to the costs that would be incurred in order to recreate or replace the asset.

Control
Sometimes referred to as a “countermeasure” and is put into place to mitigate (reduce) the potential risk.

May be a software configuration, hardware device, or procedure.

Examples:
-strong passwords
-firewalls
-security guards
-access control mechanisms
-encryption
-security-awareness training

Security Definitions Relationship
Security Definitions Relationship
See image for diagram.
3 Types of Control Categories
-Administrative
-Technical
-Physical
Administrative Control Type
“Soft Controls”
Management-oriented

Examples:
-Security Documentation
-Risk Management
-Personnel Security
-Training

Technical Control Type
“Logical Controls”
Software or hardware components

Examples:
-Firewalls
-IDS
-Encryption
-Identification and Authentication mechanisms
-Antimalware

Physical Control Type
Controls put in place to protect facility, personnel, and resources.

Examples:
-Security Guards
-Locks
-Fences
-Lighting

Defense in Depth
Coordinated use of multiple security controls in a layered approach.

The more sensitive an asset, the more layers of protection put in place.

6 Types of Control Functionalities
Deterrent
-Intended to discourage a potential attacker

Preventive
-Intended to avoid an incident from occurring
-Should be number 1 consideration for security structure of an environment
-Should implement with detective

Corrective
-Fixes components or systems after an incident occurred

Recovery
-Intended to bring the environment back to regular operations

Detective
-Helps identify an incident’s activities and potentially an intruder
-Should be implemented with preventive

Compensating
-Controls that provide and alternative measure of control
-Alternate control that provides similar protection as the original control, but has to be used because it is more affordable or allows specifically required business functionality.

Security Frameworks
These frameworks OUTLINE the necessary components of an organizational security program.

BS7799
ISO/IEC 27000 Series

BS7799 Security Framework
-British Standard BS7799
-Developed in 1995 by U.K.
-Outlines how an Information Security Management System (ISMS) –aka security program–should be built and maintained.
-Goal was to provide guidance to organizations on how to design, implement, and maintain policies, processes, and technologies to manage risks to its sensitive assets.
ISO/IEC 27000 Series Security Framework
-Built on top of already established BS7799
-Industry best practice
-Follows PDCA cycle:
–Plan (establish objectives and make plans)
–Do (implementation of plans)
–Check (measure results to see if objectives are met)
–Act (how to correct and improve plans to better achieve success)

ISO 27000: Overview/Vocabulary
ISO 27001: ISMS requirements
ISO 27002: Code of practice in info security mgmt
ISO 27003: Guidelines for ISMS implementation
ISO 27004: Guidelines for ISMS measurement and metrics
ISO 27005: Guidelines for info security risk mgmt
ISO 27006: Guidelines for audit and certification of ISMS
ISO 270011: Guidelines for telecommunications
ISO 27031: Guidelines for business continuity
ISO 27033-1: Guidelines for network security
ISO 27799: Guidelines for health organizations

Enterprise Architecture
Encompasses the essential and unifying components of an organization. Expresses the enterprise structure (form) and behavior (function). It embodies the enterprise’s components, their relationships to each other, and to the environment.

When developing an architecture, first identify stakeholders. Then create views that illustrate the information in a way conducive to the parties looking at the architecture.

Should allow one to understand the company from several different views and to understand how a change at one level will affect items at another level.

Enterprise Architecture is needed to present information in a way in which all consumers of the information can understand.

Enterprise Architecture Frameworks
Zachman Framework
TOGAF
DoDAF
MODAF
Zachman Architecture Framework
Created by John Zachman

Two dimensional model using 6 basic communication interrogatives (what, how, where, who, when, and why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and Worker) to give a holistic understanding of the enterprise.

Goal of the model is to be able to look at the same organization from different views (Planner, Owner, Designer, Builder, Implementer, and Worker).

This framework is NOT security oriented.

The Open Group Architecture Framework (TOGAF)
Origins in U. S. DOD

Provides an approach to design, implement, and govern an enterprise information architecture.

Develops the following architecture types:
-Business Architecture
-Data Architecture
-Applications Architecture
-Technology Architecture

Creates individual architectures through use of its Architecture Development Method (ADM). This allows an analyst to understand organization from 4 different views (business, data, applications, technology).

Dept. of Defense Architecture Framework (DoDAF)
DoDAF military-oriented framework

Focus is on command, control, communications, computers, intelligence, surveillance, and recon systems and processes.

Helps ensure all systems, processes, and personnel work in concerted effort to accomplish its missions.

British Ministry of Defense Architecture Framework (MODAF)
MODAF military-oriented framework

Based on DoDAF

Crux of framework is to be able to get data in the right format to the right people as soon as possible.

Enterprise Security Architecture
Helps us integrate the requirements outlined in our security program.

Subset of enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally.

Main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost effective manner.

Sherwood Applied Business Security Architecture (SABSA)
Similar to Zachman Framework

Layered model with first layer defining business requirements from a security perspective.

Framework and methodology for enterprise security architecture and service management.

What’s Needed in Enterprise Security Architecture to be Effective
Strategic Alignment
-Business drivers and the regulatory and legal requirements are being met by the security enterprise architecture.

Business Enablement
-Core business processes are integrated into the security operating model–they are standards-based and follow a risk tolerance criteria.

Process Enhancement
-Organization must take a close look at their business processes that take place on an ongoing basis.

Security Effectiveness
-Metrics
-SLA
-ROI
-baselines
-dashboards
-scorecards

Enterprise versus System Architectures
Enterprise architecture addresses the structure of and organization.

System architecture addresses the structure of software and computing components.

Security Controls Development
CoBiT
NIST 800-53
COSO
CoBiT
Control Objectives for Information and related Technology

Private Sector

Derived from COSO. COSO is model for corporate governance, CobiT is model for IT governance.

Security framework that acts as a model for IT governance and focuses more on operational goals.

Framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.

Broken down into four domains
-Plan and Organize
-Acquire and Implement
-Deliver and Support
-Monitor and Evaluate

Provides checklist approach to IT governance by providing a list of things that must be thought through and accomplished when carrying out different IT functions.

CobiT provides the objectives that the real-world implementations (controls) you chose to put in place need to meet. Where ISO27000 would say “Unauthorized Access should not be permitted”, CobiT would define the specific objectives that must be met to satisfy this.

Most security auditing practices used today in the industry are based off CobiT.

NIST 800-53
U. S. government control objectives

Outlines controls that agencies need to put in place to be compliant with Federal Information Security Management Act of 2002.

Control categories (families) are the Management, Operational, and Technical controls prescribed for an information system to protect confidentiality, integrity, and availability of the system and its information.

i.e. (family–class)
Access Control–Technical
Audit and Accountability–Technical
Risk Assessment–Management
Security Assessment and Authorization–Management
Contingency Planning–Operational
Maintenance–Operational

Government auditors use SP 800-53 as their “checklist” approach for ensuring that government agencies are compliant with government-oriented regulations.

COSO
Committee of Sponsoring Organizations (of Treadway Commission in 1985)

Created to deal with fraudulent financial activities and reporting. Made up of the following components:

Security framework that acts as a model for corporate governance and focuses more on strategic goals.

-Control Environment
-Risk Assessment
-Control Activities
-Information and Communication
-Monitoring

Model for corporate governance (where CobiT is model for IT governance).

Deals with more with none-IT items such as company culture, financial and accounting principles, board of director responsibilities, and internal communication structures.

SOX is based on COSO.

Process Management Development
ITIL
Six Sigma
Capability Maturity Model Integration (CMMI)
ITIL
De facto standard of best practices for IT service management.

Was created because of the increased dependence on IT to meet business needs.

Focus is more toward internal SLA’s between the IT departments and the “customers” it serves.

Six Sigma
Process improvement methodology. It is the “new” and improved TQM.

Goal is to improve process quality by using statistical methods of measuring operation efficiency and reducing variation, defects, and waste.

Developed by Motorola with goal of identifying and removing defects from it manufacturing processes.

OMB Circular A-130
OMB Circular A-130 was developed to meet information resource management requirements for the federal government.

According to this circular, independent audits should be performed every three years.

Capability Maturity Model Integration (CMMI)
Came from security engineering world

Model is also used within organizations to help lay out a pathway of how increment improvement can take place.

Crux of CMMI is to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture.

Developed by Carnegie Mellon

Top-down vs. Bottom-up Approach to Security Program
Top-down: Initiation, support, and direction come from top management, work through middle management and then reach staff members.

Bottom-up: Staff (usually IT) try to develop a security program without getting proper management support.

Bottom-up is far less effective than top-down approach.

Security Program Lifecycle
1. Plan and organize
–Establish management commitment.
–Establish oversight steering committee.
–Assess business drivers.
–Develop a threat profile on the organization.
–Carry out a risk assessment.
–Develop security architectures at business, data, application, and infrastructure levels.
–Identify solutions per architecture level.
–Obtain management approval to move forward.

2. Implement
–Assign roles and responsibilities.
–Develop and implement security policies, procedures, standards, baselines, and guidelines.
–Identify sensitive data.
–Implement the following blueprints:
—–Asset identification and management
—–Risk management
—–Vulnerability management
—–Compliance
–Identity management and access control
–Change control
–Software development life cycle
–Business continuity planning
–Awareness and training
–Physical security
–Incident response
–Implement solutions.
–Develop auditing and monitoring solutions.
–Establish goals, service level agreements (SLAs), and metrics.

3. Operate and maintain
–Ensure that all baselines are met.
–Complete internal and external audits.
–Complete tasks outlined in the blueprints.
–Manage SLAs as outlined in the blueprints

4. Monitor and evaluate
–Review logs, audit results, collected metric values, and SLAs per blueprint.
–Assess accomplishments
–Carry out quarterly meetings with steering committees.
–Develop improvement steps and integrate into the Plan and Organize phase.

Putting the pieces together
Think of ISO27000 mainly working at the policy level as a DESCRIPTION of the type of house you want to build (two-story, five bedroom, three bath).

Security enterprise framework is the ARCHITECTURE layout of the house (foundation, walls, ceilings).

Blueprints are the detailed descriptions of specific components in the house (window types, security system, electrical and plumbing).

Inspector (auditor) uses checklists to inspect house like and auditor uses checklists (CobiT/SP 800-53) to ensure that you are building and maintaining your security program securely.

Once house is built, procedures for running the house day in and day out are implemented. This is where ITIL comes into play.

Optimizing daily activities occurs with Six Sigma.

Risk Management
In the context of security, it’s the possibility of damage happening and ramifications of such damage should it occur.

Information Risk Management (IRM) is the process of identifying and assessing risk, reducing it to a acceptable level, and implementing the right mechanisms to maintain that level.

Types of Risk
-Physical damage
-Human interaction
-Equipment malfunction
-Inside and outside attacks
-Misuse of data
-Loss of data
-Application error

IRM Policy
Requires strong commitment from senior management, document processes supporting organization’s mission, and an IRM policy, and delegated IRM team.

IRM policy provides the foundation and direction for the organization’s security risk management processes and procedures.

Risk Management Team
Overall goal is to ensure the company is protected in the most cost-effective manner.

Should have one person assigned to lead the IRM team and devote at least 50-70% of their time to this.

Risk Assessment
Is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.

Used to GATHER DATA

Risk assessment calculates the probability of a vulnerability being exploited and the associated business impact. In contrast, a vulnerability assessment are jut focused on finding the vulnerabilities (the holes).

Risk Analysis
Helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.

Four Main Categories:
1. Identify asset and value to organization
2. Identify vulnerabilities and threats
3. Quantify probability and impact of threats
4. Provide economical balance between impact of threat and cost of control

Provides cost/benefit comparison–this compares the annualized cost of the control versus the potential cost of loss. A control’s cost should generally not exceed the potent loss.

Used to EXAMINE the gathered data and PRODUCE RESULTS that can be acted upon.

Risk Analysis Team
Should include individuals from many or all departments to ensure that all the threats are identified and addressed.

Must include people who understand individual process in their department(s)

Asset Value (AV)
Determined by the importance the asset has to the organization.
Loss Potential
What the company would lose if a threat agent actually exposed a vulnerability.
Delayed Loss
Loss that occurs well ofter the vulnerability is exploited.

Loss of market share
Reputation damaged
Civil suits

Methodologies of Risk Assessment
NIST SP 800-30
FRAP
OCTAVE
AS/NZS 4360
ISO 27005
FMEA
CRAMM
NIST SP 800-30
Named Risk Management Guide for IT Systems

Considered U.S. federal government standard

Specific to IT threats and how they relate to IT security risks.

Mainly focused on computer systems and IT security issues.

Covers IT and operations

Does not cover larger threats like natural disasters, succession planning, etc.

FRAP
Facilitated Risk Analysis Process

Qualitative methodology

Focus only on systems needing assessing to reduce time and cost obligations.

Used if limited budget.

Stressed pre-screening so only those systems needing risk assessments are carried out.

Used to analyze one system, application, or process at a time.

Does not support calculating exploitation probability or annual loss expectancy.

OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation

Created by Carnegie Mellon

Methodology intended to be used in situations where people manage and direct the risk evaluation for information security within the company.

Puts people that work inside the company in position to make decisions on what the best approach is to secure organization.

Uses facilitated workshops.

Stresses self-directed team approach.

Used to analyze All systems, ALL applications, and ALL processes (FRAP just analyzes individual systems, applications, and processes).

Three-phase process:
1. Identify staff knowledge, assets, threats
2. Identify vulnerabilities and evaluates safeguards
3. Conducts Risk Analysis and develops risk mitigation strategy

AS/NZS 4360
Broad approach to risk management

Used to understand company’s financial, capital, human safety, and business risk decisions.

Focused on health of a company from a business point of view, not security.

ISO 27005
Risk methodology that can be used to integrate into organization’s security program that address all threats an org could be faced with.

International standard on how risk management can be carried out in ISMS.

Covers IT and softer items, like documentation, personnel security, training, etc.

FMEA
Failure Modes and Effect Analysis

Used for determining functions, identifying functional failures, and assessing cause of failure and their failure effects through a structured process.

Used to dig into details of specific systems.

Commonly used in product development and operational environments.

Goal is to identify where something is most likely to break and either fix the flaw or implement controls to reduce the impact of the break.

Failure Modes (how something can break or fail)
Effects Analysis (impact of that break or failure)

First developed for systems engineering with purpose of examining potential failures in products and the process involved with them.

Not useful in discovering complex failure modes that may be involved in multiple systems or subsystems.

Fault Tree Analysis
Approach to identify failures that can take place within more complex environments and systems.

Used to dig into details of specific systems.

CRAMM
Central Computing and Telecommunications Agency Risk Analysis and Management Method

Created by U.K., and tolls sold by Siemens.

Three stages:
1. Define Objectives
2. Assess Risks
3. Identify Countermeasures

Risk Analysis Approaches
Quantitative
Qualitative
Quantitative Risk Analysis
Used to assign monetary and numeric values to all elements of the risk analysis process.

Example:
Organization would be as risk of losing $100,000 if a buffer overflow was exploited on a web server.

SLE
Single Loss Expectancy. Quantitative analysis equation used to assign a dollar amount to a single event/asset, that represents the company’s potential loss amount of a specific threat were to take place.

Asset Value x Exposure Factor (EF) = SLE

Exposure Factor (EF) represents the percentage of loss a realized threat could have on a certain asset.

Example:
Data warehouse asset value = $150,000
If fire, 25% would be lost

Asset Value ($150,000) x EF (25%) = SLE ($37,500)

ALE
ALE
Annual Loss Expectancy. Tells company the annual amount of exposure, in terms of dollars, that could be expected for a loss of a single asset.

SLE x Annualized Rate of Occurrence (ARO) = ALE

ARO is value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe.

Range for ARO:
0.0 (never)
1.0 (once per year)
> 1 (several times per year)

Examples:
3 times / year = 3.0
Once every 10 years = 0.1
Once every hundred years = 0.01

ALE Example:
Fire in data warehouse causes SLE of $37,500
Expected to occur once every 10 years

SLE ($37,500) x ARO (.1) = ALE ($3,750)

So company could spend $3,750 or less annually on controls to mitigate fire destruction of the data warehouse asset. Spending more than $3,750 would not make sense.

TCO and ROI
TCO= total cost of a mitigating safeguard. It combines upfront costs (often a one-time capital expense) plus annual costs of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc.

ROI=the amount of money saved by implementing a safeguard.

If TCO is less than ALE, you have a positive ROI (good decision). If TCO is higher than ALE, you have a negative ROI (bad decision).

Qualitative Risk Analysis
Uses a “softer” approach to the data elements of the risk analysis process. Does not quantify that data, which means that is does not assign numeric values to the data so that they can be used in equations. Ranks the seriousness of threats and validity of different possible countermeasures based on opinions.

Examples on gathering data:
-Brainstorming
-Story boards
-Meetings
-Focus groups
-Surveys
-Delphi (group decision making where people submit their ideas individually (not during a group activity). This helps reduce group pressures.

Example Scenario:
Risk of a buffer overflow exploitation on a web server would be rated as red, yellow, or green. A scale could also be used, such as a scale of 1-5. No monetary values are assigned.

Quantitative versus Qualitative
Quantitative versus Qualitative
Cost-benefit Analysis
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company

Example:
ALE threat hacker brings down web server: $12,000
ALE after implementing safeguard = $3,000
Annual cost of safeguard = $650

$12,000 – $3,000 -$650 = $8,350 (annual value of safeguard)

Risk
Residual Risk: risk that remains after company has provided some level of countermeasure for a risk. Sometimes expressed as:

total risk – countermeasures = residual risk
–or–
Threats x vulnerabilities x assets x (control gap) = residual risk

Total risk: Risk company faces if it chooses not to implement any safeguard. Expressed as:

Threats x vulnerabilities x assets = total risk

Handling risk:
-Risk Transfer: purchase insurance
-Risk Avoidance: terminate activity that’s introducing risk
-Risk Mitigation: Reduce risk to acceptable level (i.e. implement firewalls, training, IDS/IPS)
-Risk Acceptance: Simply lives with the risk and not implement countermeasures.

Security Policy
A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.

A security policy defines the technology that should be used to control access to a company’s network or buildings.

-organizational policy
-issue-specific policy
-system-specific policy.

Organizational Security Policy
Policy where management establishes how a security program will be setup, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out.

Formulated by the management, this security policy defines the procedure used to set up a security program and its goals. It identifies the major functional areas of information and defines all relevant terms. The management assigns the roles and responsibilities and defines the procedure used to enforce the security policy. A security policy is developed prior to the implementation of standard operating procedures. The organizational polices are strategically developed for a long term.

Referred to as Master Security Policies

Issue-Specific Policy
Also called a Functional Policy.

Addresses specific security issues that management feels needs more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues.

An issue-specific security policy involves the detailed evaluation of security problems and addresses specific security issues. An issue-specific security policy ensures that all employees understand these security issues and that they comply with the security policies defined to address these security issues.

Example:
Email security policy stating management has right to read employee’s emails residing on a server, but not when they reside on a user’s workstation.

System-Specific Policy
Presents management’s decisions that are specific to the actual computers, networks, and applications.

A system-specific policy defined by management describes the rules governing the protection of information processing systems, such as databases, computers, and other infrastructure equipment. A system-specific policy is strategic in nature and is designed with a long-term focus. This policy restricts the use of software to only those approved by management and further defines the policies and guidelines for system configuration, implementation of firewalls, intrusion detection systems, and network and virus scanners. A system-specific policy is used to implement security configuration settings that have been determined to provide optimum security to the infrastructure assets. It should include a statement of senior executive support and a definition of the legal and regulatory controls.

Example:
Policy that outlines how a database containing sensitive info should be protected, who has access, and how auditing will take place.

Information Policy
Classification of information is typically part of an information policy. A company usually has at least two information classifications: public and proprietary. Public information can be revealed to the public, and proprietary information can only be shared with individuals who have signed a non-disclosure agreement. Some companies also use the restricted classification. Only a small group of individuals within a company can gain access to restricted information. The cornerstone of a well-defined information policy is to limit individual access to that information which the individual ‘needs to know’ to perform required functions.
Types of Policies
Regulatory: policy that ensures company is following standards such as SOX, G:BA, HIPAA, etc.

Advisory: Strong advisement of following a policy. List possible ramifications if not followed. Might describe how to handle medical or financial information.

Informative: Informs employees of certain topics. Not enforceable. Stuff like how a company interacts with its partners, company’s goals, etc.

4 Things All Program Policies Should Have
-Purpose
-Scope
-Responsibilities
-Compliance
Policy
High-level management directives. Does not go into specifics.

Policy is mandatory.

Policy would not use terms like Windows or Linux. Instead, server policy would state things like protecting confidentiality, integrity, and availability of the system.

Procedures
Detailed step-by-step tasks that should be performed to achieve a certain goal.

How to install an OS, configure security parameters, setup new user accounts, etc.

Standards
Mandatory activities, actions or rules.

Gives a policy its support and reinforcement in direction.

Describes the specific use of technology:
–All employees receive a Windows 7 -based desktop with 2.8Ghz CPU, 16GB RAM, and 2TB hard drive.

Standards are mandatory.

Guidelines
Recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply.

Deals with methodologies of technology, personnel, or physical security.

Discretionary. Not mandatory.

Baselines
Refers to a point in time that is used as a comparison for future changes.

Consistent reference point.

Used to define minimum level of protection required.

Unified ways to implement a safeguard and discretionary.

Policy/Procedure/Standard/Guideline/Baseline Example
Policy/Procedure/Standard/Guideline/Baseline Example
Security Policy Flow
Security Policy indicates confidential info should be protected

Supporting standard mandates all customer info be held in database and be encrypted with AES256.

Procedures explain exactly how to implement AES and IPSec.

Once configuration completed, system is now at baseline.

Information Classification
Need to classify information to organize i according to its sensitivity to loss, disclosure, or unavailability.

Primary purpose is to indicate the level of confidentiality, integrity, and availability protection that is required for each type of data set. Ensures data is protected in the most cost-effective manner.

Common levels of sensitivity for Commercial businesses
-Confidential
-Provate
-Sensitive
-Public

Common levels of sensitivity for Government
-Top secret
-Secret
-Confidential
-Sensitive, but unclassified
-Unclassified

Board of Directors
Group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation’s charter.

Goal is to ensure shareholder’s interests are being protected and that corporation is running properly.

Executive Management
CEO/CFO

Responsible for informing stakeholders of firm’s financial condition and health.

CIO
Responsible for strategic use and management of information systems and technology within the organization.

Ultimately responsible for the success of the security program.

CPO
Responsible for ensuring that customer, company, and employee data are kept safe.

Often reports to CSO

CSO
Responsible for undertaking the risks that the company faces and for mitigating these risks to an acceptable level.

Must understand the organization’s business drivers, creating a security program, security compliance, etc.

Privacy versus Security
Privacy: Indicates the amount of control an individual should be able to have and expect as it related to the release of their own sensitive information.

Security: Is the mechanisms that cane put in place to provide this level of control.

Security Steering Committee
Responsible for making decisions on tactical and strategic issues within an enterprise as a whole and should not be tied to a specific business unit.

CEO should head this committee.

Should meet at least quarterly.

Audit Committee
Appointed by Board of Directors to evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting.

Goal is to provide open an independent communications between the Board of Director’s and the company’ management, internal/external auditors.

Data Owner
Member of management in charge of specific business unit and ultimately responsible for protection and use of specific subset of information.

Can be held responsible for data.

Decides on data classification, backups, disclosure, approves access requests.

Delegates responsibilities to Data Custodian.

Data Custodian
Responsible for maintaining and protecting data.

Fulfilled by IT or Security department.

Implements the controls necessary for protecting, backing up, maintaining security controls, etc.

System Owner
Responsible for one or more systems, each of which may hold and process data owned by different data owners.

Ensures systems are properly assessed for vulnerabilities and reports incidents to team and data owner.

Security Administrator
Responsible for implementing and maintaining specific security network devices and software in the enterprise.

Include things like IDS, IPS, antimalware, proxies, data loss prevention, etc.

Includes new user account creation, implementing new security software, testing security patches, and issuing new passwords.

Security Analyst
Strategic level employee who helps develop policies, standards, and guidelines along with setting baselines.

Design level person.

Application Owner
Usually business unit mangers.

Responsible for dictating who can and cannot access their applications.

Supervisor
Also called a user manager.

Responsible for all user activities and any assets created and owned by these users.

Change Control Analyst
Responsible for approving or rejecting requests to make changes to the network, systems, or software.
Data Analyst
Responsible for ensuring that data is stored in a way that makes sense to the company and individuals who need access to and work with the it.
Process Owner
Responsbile for properly defining, improving upon, and monitoring processes.
Solution Provider
Works with the business unit managers, data owners, and senior management to develop and deploy a solution to reduce the company’s pain points.
User
Any individual who routinely uses the data for work-related tasks.
Product Line Manager
Role that understand business drivers, business processes, and the technology that is required to support them.

Evaluates various markets, works with vendors, and advises management on proper solutions needed to meet their goals.

Auditor
Ensures correct controls are in place and are being maintained securely.

Goal is to make sure the organization complies with its own policies and the applicable laws and regulations.

Separation of Duties
Makes sure one person cannot complete a critical task by them self.

Preventative Administrative control to reduce fraud.

Collusion
When at least two people work together to cause some sort of destruction or fraud.
Split Knowledge
Control in which no one person has all the knowledge necessary to complete a task.

Example:
Bank vault that requires two sets of codes to open he vault (each person has only their code).

Dual Control
Control in which two individuals must be available to perform a task.

Example:
Two officers must perform identical key-turn in order to launch a missile.

Rotation of Duties
Administrative Detective control put in place to uncover fraudulent activities. Person is rotated to different positions frequently in order to uncover activities that would show up if the person was no longer performing their same duties.
Mandatory Vacation
Control to uncover fraudulent activities. Person is required to take vacation and any fraudulent activities might show up when the person is on vacation.
Security Awareness Training
Put in place to modify employee’s behavior and attitude toward security.

Security Awareness Program created for 3 types of audiences:
1. Management
2. Staff
3. Technical Employees

Should happen during hiring and at least annually thereafter. Integrate into employee performance reports.

Security Awareness versus Training
Awareness changes use behavior.
–Reminding users to never share account passwords is an example of awareness

Training provides a skill set.
–Training service desk to open/close new tickets
–training staff to configure a router

Security Governance
Security Governance
Framework that allows for the security goals of an organization to be set and expressed by senior management, communicated throughout the different levels of the organization, grant power to the entities needed to implement and enforce security, and provide a way to very the performance of these necessary security activities.

Strong management support necessary.

There has to be established policies, procedures, and standards to measure against.

Measurement activities need to provide quantifiable performance-based data that is repeatable, reliable, and produces results that are meaningful.

Balanced scorecard.

ISO 27004:2009
Inernational standard used to assess the effectiveness of an ISMS and the controls that make up the security program.

Breaks individual metrics down into:
-base measures
-derived measures
-indicator values.

ISO 27001 tells you how to BUILD the security program, ISO 27004 tells you how to measure it.

NIST 800-55
U.S. Government standard covering performance measurement for information security.

Breaks metrics down into
-implementation
-effectiveness/efficiency
-impact values.

Due Care/Due Diligence
Due Care: doing what a rinsable person would do. Informal.

Due Diligence: is the management of due care. Follows a process.

Certification versus Accreditation
Certification: Detailed inspection that verifies whether a system meets the documented security requirements.

Accreditation: Is the data owner’s acceptance of the risk represented by that system.

NIST 800-37 specifies 4-step Certification and Accreditation process:
1. Initation phase
2. Security certification phase
3. Security accreditation phase
4. Continuous monitoring phase

Goal Types
Operational Goals=Daily

Tactical Goals = more time than operational, but not as long as strategic. Milestones within a project.

Strategic Goals=1 year or longer goals

Information Security
Information security is a continuous process of securing the business operations of an organization. The security starts with the establishment of a security policy and standards, is followed by the implementation of hardware and software through standard operating procedures, and ends by imparting security awareness training to employees. The security awareness training covers the acceptable use of resources and the risks that the threats might pose to the business operations.
Information Assurance
The purpose of information assurance is to ensure that the access control mechanisms correctly implement the security policy for the life cycle of an information system.

Assurance procedures should be developed based on the organization’s security policy.

Security Template
A security template should cover:
-account policies
-user rights and permissions
-registry permissions, and system services.

Other areas that should be covered include:
-event log settings
-restricted groups
-file permissions
-auditing settings