01. Information Security Control Design and Selection (240) Flashcards
Information Security Control Design and Selection
Controls are the procedures, mechanisms, systems, and other measures designed to reduce risk through compliance to policies
240
Information Security Control Design and Selection
An organisation develops controls to ensure that its business objectives will be met, risks will be reduced, and errors will be prevented or corrected
240
Information Security Control Design and Selection
Controls are created to ensure desired outcomes and to avoid unwanted outcomes. They are created for several reasons includingl
240
- regulation
- risk assessment
- audit result
Control Classification
Sucurity managers should understand the characterstics, or classifications, of controls. Control classification types, classes, and categoris should all be understood
Types of controls
3 types of controls;
- Physical
- Technical
- Administrative
242
Class of Controls
6 classes of controls;
- Preventive
- detective
- deterrent
- corrective
- compensating
- recovery
242
Preventive
Used to prevent the occurrence of unwanted events
Detective
Used to record both wanted and unwanted events
Deterrent
Exists to convince someone that they should not perform and unwanted activity
Corrective
Activated manually or automatically after some unwanted event has occurred
Compensating
Used where some other direct control cannot be used
Recovery
Used to restore system or asset to its pre-incident state
Class of Controls
Examples….
Preventive
Computer loging screen, key card system, encryption
Detective
Video surveillance, event logs
Deterrent
Video surveillance cameras and monitors, fences,
Corrective
The process of improving a process whenf ound to be ineffective
Compensating
A guest sing-in register used/used in place of when video surveilance is unavailable
Recovery
Malware removal tools, backup software to recover lost files
243
Categories of Control
2 categories of controls that relate to the nature of their operation;
- Automatic
- Manual
244
Automatic
Performs its function with little or no human judgement or decision making
Manual
Requires human to operate it
Categories of Control
Examples…
Automatic
Login page to application that cannot be circumvented, security door automatically locking
Manual
Monthly review of computer users
244
Control Objectives
Control objectives describe the desired states or outcomes of business operations
244
General Computing Controls
IT will have a set of controls that apply across all of its applications and services, known as General Computing Controls (GCC’s)
245
General Computing Controls
General Comput Controls (GCCs) are general in nature, often implemented in different ways on different information systems based on individual capabilities and limitations, and applicability
245
Contorls: Build vs Buy
Build vs Buy of controls refers to the business decisions organisation leads take regarding building a new assets, tangible or intangible, or paying another organisation to create the asset.
245
Control Frameworks
A control framework is a collection of controls, organisation into logical categories
246
Control Frameworks
Well known control frameworks developed to streamline the process of control development and adoption;
- ISO/IEC 27002
- NIST SP 800-53
- CIS CSC
Control Frameworks
Selection of a control framework should represent a starting point.Once a framework is selected, the organisation can use risk management life cycle to understand risks in the organisation that result in changes to controls used
247
Mapping Control Frameworks
One or more control frameworks may be adopted primarily because…
- Multiple apllicable regulatory frameworks
- Multiple operational context
248
Example;
Healthcare services that take credit card payments would likely select HIPAA and PCI DSS, where either framework does not fully address all the needs of the business alone
Mapping Control Frameworks
Organisations will map control frameworks together, resulting in a single control framework with controls from each framework
248
Mapping Control Frameworks
A chart that maps two or more control frameworks together is known as a crosswalk
248
Working with Control Frameworks
Security Managers need to organise the organisations operational activities around the selected/mapped control frameworks
249
Working with Control Frameworks
Risk Assessment
Before a control can be designed, the security manager needs to know the nature of the risk(s) the control is intended to address
249
Working with Control Frameworks
Control Design
Before a control can be used, it must be designed. A control framework comprises the control language, and some degree of guideance
249
A security manager with personnel who are responsible for revelent technologies, willd etermine what activity is required to implement the control
Working with Control Frameworks
Control Design
Proper control design will potentially require one or more of the following; New or changed….
- Policies
- Business process documents
- Information systems
- Business records
250
Control Architecture
**Control Architecture **refers to the “big picture” of controls in an organisation. Security managers need to understand how controls work together
250
Dealing with Changing Technology
Technologies change more quickly than standard control frameworks.
Security managers must monitor emerging technologies “plugged in” to business processes to ensure they are involved to understand what controls are required.
250
- Personal computing
- Cloud Computing
- Smartphones
- Bring Your Own Device (BYOD)
- Bring Your Own Application (BYOA)
- Shadow IT
- Work From Home (WFH)
- Artificial Intelligence (AI)
- Virtual Reality (VR)
- Internet of Things (IoT)
Dealing with Changing Technology
Changes in technology are often disruptive.
Disruption is the result of innovation
New ideas and innovation make organisations better
250
ISO/IEC 27002
ISO/IEC 27002
* World renowned set of controls
* Must be purchased
* 4 control categories
* 93 control objectives
252
- Organisational Controls
- People Controls
- Physical Records
- Technological Controls
NIST SP 800-53 rev 5
NIST SP 800-53
* published by the Computer Security Division of the U.S. National Institute for Standards and Technology (NIST)
254
Center for Internet Security Critical Security Controls (CIS CSC)
- Regarded as a simpler set of controls
- Structured in a way that is easy to understand and use
- 18 control objectives
256
NIST Cyber Security Framework (CSF)
- Risk management methodology and control Framework
- Designed to be a single standard for identifying risk and implementing controls to protect information assets
- Framework core, consisting of 5 activities
- Framework Implementation Tiers - capabilities assessment, resembles maturity levels
257
NIST Cyber Security Framework
Identify
Develop the organisational understanding to manage cybersecurity
Protect
Develop and implement appropriate safeguards
Detect
Develop and implement activities to identify cybersecurity events
Respond
Develop and implement activities to take action to detected cybersecurity events
Recover
Develop and implement activities to maintain resilience and restore capabilities
257
NIST Cyber Security Framework
Framework Implementation Tiers - Maturity Assessment
Partial
Risk management is not formalused. Reactive, limited within the organisation
Risk Informed
RIsk management is formalised, not working organisation wide
Repeatable
Risk management practices formalised and approved. Intergrated into the business
Adaptive
Risk management practices monitored, adapted to meet changing threats and needs. Fully intergrated
257
NIST Cyber Security Framework
CSF contains a methodology for establishing or making improvements;
Step 1: Prioritze and Scope
* Determine business units or business processes in scope
Step 2: Orient
* Identify assets in scope for program
Step 3: Create a current profile
* Idetnify current state against framework core and subcategories
Step 4: Conduct a risk assessment
* Conduct risk assessment covering entire scope of the program
Step 5: Create a target profile
* Determine the desired furture state
Step 6: Determine, Analyse, prioritise gaps
* Compare current profile to desired profile (gap analysis)
Step 7: Implement action plan
* Develop plans and execute to close gaps
258
Payment Card Information Data Security Standard (PCI DSS)
- A control framework with the main objective is the protection of cardholder data
- Founded by major credit card brands
- Tiered structure - high volume transactions require onsite annual audits. Low volumes can be annually self assessed
- Offers certification for personnel who can perform PCI audits
258
Health Insurance Portability and Accountability Act (HIPAA)
- Designed to address issues around process of healthcare information
- Electronic Protected Healthcare Information (ePHI)
- Organisations delivering medical healthcare required to comply
- HIPAA security rules are required or addressable
261
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA Security rules are required or addressable;
Required
* Must be implemented
Addressable
* Requires an analysis to determine if they must be implemented
261
COBIT 2019
- Industry wide standard, a result of industry consensus by managers, auditors, IT users
- 1100+ control activities
- 5 principles, 37 principles
- Meeting Stakeholder Needs
- Covering the Entprise End to end
- Applying a single, Integrated Framework
- Enabling a Holistic Approach
- Seperating Governance from Management
261
The Committee of Sponsoring Organisations (COSO)
- Control framework used by US public companies
- Management of finaicial accounting and reporting systems
- 17 principles
- 5 framework components
North American Eletric Reliability Corporation (NERC)
- Standards for electric utilities throguhout North America
- NERC has authority to enforce standards
- Fines levied for public utilities non compliance
263
Cloud Security Alliance (CSA) Control Framework
- Cloud Controls Matrix (CCM)
- Provides security principles to cloud vendors
- Provide customers with assessments of cloud vendors
- CSA STAR - assurance framework 2 levels, Self assessment, Third party audit
Service Organisation Controls (SOC)
- Statement on Auditing Standards No. 70 (SAS-70)
- SAS-70 allows audits of service providers by public accounting firms
- Allows public companies to obtain assurance of control effectiveness for outsourced IT services
- System and Organisation Controls (SOC)
- SOC 1, SOC 2, SOC 3
264
System and Organisation Controls 1 (SOC 1)
- Statement on Standards for Attenstation Engagements (SSAE)
- SSAE 16, SSAE 18, ISAE 3402
- Service organisation has free latitude to decide which controls are in scope
- 2 types; Type 1, Type 2
Type 1:
* Point in time examination of controls and their design
Type 2:
* Occurs over a period of time (3 months to 1 year)
* Type 1 applies, as well as business records to determine control effectiveness
264
System and Organisation Controls 2 (SOC 2)
- Developed for IT service providers
- For providers who want to demonstrate assurance in their controls to customers
- 5 trust principles
- 2 types; Type 1, Type 2
- Type 1 - Point in time
- Type 2 - Over a period of time (6 months to 1 year)
Security
* Protected against unauthorized access
Availability
* Available for operation
Processing Integrity
* System process is complete, valid, accurate, timely, authorized as agreed upon
Confidentiality
* Confidential information is protected as agreed upon
Privacy
* Personal information collected, used, retained, disclosed, destroyed
264
System and Organisation Controls 3 (SOC 3)
- Audit includes any or all 5 trust principles
- Lacks description of control testing or opinion of control effectiveness
Security
* Protected against unauthorized access
Availability
* Available for operation
Processing Integrity
* System process is complete, valid, accurate, timely, authorized as agreed upon
Confidentiality
* Confidential information is protected as agreed upon
Privacy
* Personal information collected, used, retained, disclosed, destroyed
265
