01. Information Security Control Design and Selection (240)

Question 1

Information Security Control Design and Selection

Controls are the procedures, mechanisms, systems, and other measures designed to reduce risk through compliance to policies

240

Question 2

Information Security Control Design and Selection

An organisation develops controls to ensure that its business objectives will be met, risks will be reduced, and errors will be prevented or corrected

240

Question 3

Information Security Control Design and Selection

Controls are created to ensure desired outcomes and to avoid unwanted outcomes. They are created for several reasons includingl

240

Answer 3

1. regulation
2. risk assessment
3. audit result

Question 4

Control Classification

Sucurity managers should understand the characterstics, or classifications, of controls. Control classification types, classes, and categoris should all be understood

Control Classification

241

Question 5

Types of controls

3 types of controls;

1. Physical
2. Technical
3. Administrative

242

Question 6

Class of Controls

6 classes of controls;

1. Preventive
2. detective
3. deterrent
4. corrective
5. compensating
6. recovery

242

Answer 6

Preventive
Used to prevent the occurrence of unwanted events
Detective
Used to record both wanted and unwanted events
Deterrent
Exists to convince someone that they should not perform and unwanted activity
Corrective
Activated manually or automatically after some unwanted event has occurred
Compensating
Used where some other direct control cannot be used
Recovery
Used to restore system or asset to its pre-incident state

Question 7

Class of Controls

Examples….

Preventive
Computer loging screen, key card system, encryption
Detective
Video surveillance, event logs
Deterrent
Video surveillance cameras and monitors, fences,
Corrective
The process of improving a process whenf ound to be ineffective
Compensating
A guest sing-in register used/used in place of when video surveilance is unavailable
Recovery
Malware removal tools, backup software to recover lost files

243

Question 8

Categories of Control

2 categories of controls that relate to the nature of their operation;

1. Automatic
2. Manual

244

Answer 8

Automatic
Performs its function with little or no human judgement or decision making
Manual
Requires human to operate it

Question 9

Categories of Control

Examples…

Automatic
Login page to application that cannot be circumvented, security door automatically locking
Manual
Monthly review of computer users

244

Question 10

Control Objectives

Control objectives describe the desired states or outcomes of business operations

244

Question 11

General Computing Controls

IT will have a set of controls that apply across all of its applications and services, known as General Computing Controls (GCC’s)

245

Question 12

General Computing Controls

General Comput Controls (GCCs) are general in nature, often implemented in different ways on different information systems based on individual capabilities and limitations, and applicability

245

Question 13

Contorls: Build vs Buy

Build vs Buy of controls refers to the business decisions organisation leads take regarding building a new assets, tangible or intangible, or paying another organisation to create the asset.

245

Question 14

Control Frameworks

A control framework is a collection of controls, organisation into logical categories

246

Question 15

Control Frameworks

Well known control frameworks developed to streamline the process of control development and adoption;

1. ISO/IEC 27002
2. NIST SP 800-53
3. CIS CSC

Commonly used Control Frameworks

246

Question 16

Control Frameworks

Selection of a control framework should represent a starting point.Once a framework is selected, the organisation can use risk management life cycle to understand risks in the organisation that result in changes to controls used

247

Question 17

Mapping Control Frameworks

One or more control frameworks may be adopted primarily because…

1. Multiple apllicable regulatory frameworks
2. Multiple operational context

248

Answer 17

Example;
Healthcare services that take credit card payments would likely select HIPAA and PCI DSS, where either framework does not fully address all the needs of the business alone

Question 18

Mapping Control Frameworks

Organisations will map control frameworks together, resulting in a single control framework with controls from each framework

248

Question 19

Mapping Control Frameworks

A chart that maps two or more control frameworks together is known as a crosswalk

248

Question 20

Working with Control Frameworks

Security Managers need to organise the organisations operational activities around the selected/mapped control frameworks

249

Question 21

Working with Control Frameworks

Risk Assessment
Before a control can be designed, the security manager needs to know the nature of the risk(s) the control is intended to address

249

Question 22

Working with Control Frameworks

Control Design
Before a control can be used, it must be designed. A control framework comprises the control language, and some degree of guideance

249

Answer 22

A security manager with personnel who are responsible for revelent technologies, willd etermine what activity is required to implement the control

Question 23

Working with Control Frameworks

Control Design
Proper control design will potentially require one or more of the following; New or changed….

1. Policies
2. Business process documents
3. Information systems
4. Business records

250

Question 24

Control Architecture

**Control Architecture **refers to the “big picture” of controls in an organisation. Security managers need to understand how controls work together

250

Question 25

Dealing with Changing Technology

Technologies change more quickly than standard control frameworks.
Security managers must monitor emerging technologies “plugged in” to business processes to ensure they are involved to understand what controls are required.

250

Answer 25

• Personal computing
• Cloud Computing
• Smartphones
• Bring Your Own Device (BYOD)
• Bring Your Own Application (BYOA)
• Shadow IT
• Work From Home (WFH)
• Artificial Intelligence (AI)
• Virtual Reality (VR)
• Internet of Things (IoT)

Question 26

Dealing with Changing Technology

Changes in technology are often disruptive.
Disruption is the result of innovation
New ideas and innovation make organisations better

250

Question 27

ISO/IEC 27002

ISO/IEC 27002
* World renowned set of controls
* Must be purchased
* 4 control categories
* 93 control objectives

252

Answer 27

1. Organisational Controls
2. People Controls
3. Physical Records
4. Technological Controls

Question 28

NIST SP 800-53 rev 5

NIST SP 800-53
* published by the Computer Security Division of the U.S. National Institute for Standards and Technology (NIST)

254

Question 29

Center for Internet Security Critical Security Controls (CIS CSC)

• Regarded as a simpler set of controls
• Structured in a way that is easy to understand and use
• 18 control objectives

256

Question 30

NIST Cyber Security Framework (CSF)

• Risk management methodology and control Framework
• Designed to be a single standard for identifying risk and implementing controls to protect information assets
• Framework core, consisting of 5 activities
• Framework Implementation Tiers - capabilities assessment, resembles maturity levels

257

Question 31

NIST Cyber Security Framework

Identify
Develop the organisational understanding to manage cybersecurity
Protect
Develop and implement appropriate safeguards
Detect
Develop and implement activities to identify cybersecurity events
Respond
Develop and implement activities to take action to detected cybersecurity events
Recover
Develop and implement activities to maintain resilience and restore capabilities

257

Question 32

NIST Cyber Security Framework

Framework Implementation Tiers - Maturity Assessment

Partial
Risk management is not formalused. Reactive, limited within the organisation
Risk Informed
RIsk management is formalised, not working organisation wide
Repeatable
Risk management practices formalised and approved. Intergrated into the business
Adaptive
Risk management practices monitored, adapted to meet changing threats and needs. Fully intergrated

257

Question 33

NIST Cyber Security Framework

CSF contains a methodology for establishing or making improvements;

Step 1: Prioritze and Scope
* Determine business units or business processes in scope

Step 2: Orient
* Identify assets in scope for program

Step 3: Create a current profile
* Idetnify current state against framework core and subcategories

Step 4: Conduct a risk assessment
* Conduct risk assessment covering entire scope of the program

Step 5: Create a target profile
* Determine the desired furture state

Step 6: Determine, Analyse, prioritise gaps
* Compare current profile to desired profile (gap analysis)

Step 7: Implement action plan
* Develop plans and execute to close gaps

258

Question 34

Payment Card Information Data Security Standard (PCI DSS)

• A control framework with the main objective is the protection of cardholder data
• Founded by major credit card brands
• Tiered structure - high volume transactions require onsite annual audits. Low volumes can be annually self assessed
• Offers certification for personnel who can perform PCI audits

258

Question 35

Health Insurance Portability and Accountability Act (HIPAA)

• Designed to address issues around process of healthcare information
• Electronic Protected Healthcare Information (ePHI)
• Organisations delivering medical healthcare required to comply
• HIPAA security rules are required or addressable

261

Question 36

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Security rules are required or addressable;

Required
* Must be implemented

Addressable
* Requires an analysis to determine if they must be implemented

261

Question 37

COBIT 2019

• Industry wide standard, a result of industry consensus by managers, auditors, IT users
• 1100+ control activities
• 5 principles, 37 principles

1. Meeting Stakeholder Needs
2. Covering the Entprise End to end
3. Applying a single, Integrated Framework
4. Enabling a Holistic Approach
5. Seperating Governance from Management

261

Question 38

The Committee of Sponsoring Organisations (COSO)

• Control framework used by US public companies
• Management of finaicial accounting and reporting systems
• 17 principles
• 5 framework components

COSO Control Framework

261

Question 39

North American Eletric Reliability Corporation (NERC)

• Standards for electric utilities throguhout North America
• NERC has authority to enforce standards
• Fines levied for public utilities non compliance

NERC Framework

263

Question 40

Cloud Security Alliance (CSA) Control Framework

• Cloud Controls Matrix (CCM)
• Provides security principles to cloud vendors
• Provide customers with assessments of cloud vendors
• CSA STAR - assurance framework 2 levels, Self assessment, Third party audit

CSA Control Framework

263

Question 41

Service Organisation Controls (SOC)

• Statement on Auditing Standards No. 70 (SAS-70)
• SAS-70 allows audits of service providers by public accounting firms
• Allows public companies to obtain assurance of control effectiveness for outsourced IT services
• System and Organisation Controls (SOC)
• SOC 1, SOC 2, SOC 3

264

Question 42

System and Organisation Controls 1 (SOC 1)

• Statement on Standards for Attenstation Engagements (SSAE)
• SSAE 16, SSAE 18, ISAE 3402
• Service organisation has free latitude to decide which controls are in scope
• 2 types; Type 1, Type 2

Type 1:
* Point in time examination of controls and their design

Type 2:
* Occurs over a period of time (3 months to 1 year)
* Type 1 applies, as well as business records to determine control effectiveness

264

Question 43

System and Organisation Controls 2 (SOC 2)

• Developed for IT service providers
• For providers who want to demonstrate assurance in their controls to customers
• 5 trust principles
• 2 types; Type 1, Type 2
• Type 1 - Point in time
• Type 2 - Over a period of time (6 months to 1 year)

Security
* Protected against unauthorized access

Availability
* Available for operation

Processing Integrity
* System process is complete, valid, accurate, timely, authorized as agreed upon

Confidentiality
* Confidential information is protected as agreed upon

Privacy
* Personal information collected, used, retained, disclosed, destroyed

264

Question 44

System and Organisation Controls 3 (SOC 3)

• Audit includes any or all 5 trust principles
• Lacks description of control testing or opinion of control effectiveness

Security
* Protected against unauthorized access

Availability
* Available for operation

Processing Integrity
* System process is complete, valid, accurate, timely, authorized as agreed upon

Confidentiality
* Confidential information is protected as agreed upon

Privacy
* Personal information collected, used, retained, disclosed, destroyed

265