2.1 Intro to Security Within the Organization Flashcards
GRC
Governance, Risk, Compliance
Governance
-provides management frameworks for implementing security practices in the organization
-helps a business decide how to enforce its security practices by developing policies, standards, processes, and procedures.
Risk Management
identifies which assets are most important and determines how they are most likely to be compromised. The business then uses this information to decide how to protect its most important and at-risk assets. This decision then informs the business’s security practices.
Compliance
ensures that internal security policies are followed and verifies that the business is following relevant security laws.
Chief Executive Officer (CEO)
responsible for plotting the overall direction of the company and conceiving and communicating a corporate mission or ultimate goal, determining what the business should focus on in order to meet those goals, assessing risks, and setting standards of social responsibility for the organization.
departmental executive leadership team
actively engaged in managing the day-to-day operations within their departments and report directly to the CEO.
Chief Information Officer (CIO)
responsible for developing IT systems that support the business including setting up corporate networks, provisioning services like VPN, setting up and recycling employee devices, and ceasing servers for data storage and internal application development.
Chief Information Security Officer (CISO)
-responsible for managing risk to an organization’s data throughout its lifecycle.
-responsible for ensuring that the company’s data is safe from the time it’s collected, stored, and retrieved to when it’s destroyed, purged, and wiped.
-supervising a security operations organization, which identifies, contains, and responds to threats, developing and disseminating information security policies, developing and disseminating training to personnel, working with the CIO to coordinate implementation of security policies by IT teams.
Network Security
Roles: Director of Networking or Director of Network Security
Responsibilities: Securing networks and implementing network security policies. This group also manages services like the corporate VPN. They are responsible for purchasing or leasing, configuring, maintaining, and troubleshooting the organization’s network infrastructure.
Incident Response
Roles: Incident Response (IR) Manager or a Security Operation Center (SOC) Manager
Responsibilities: Identifying and responding to security breaches. IR is responsible for security operations centers (SOCs), which monitor the organization’s devices for incidents. IR is also responsible for escalating serious breaches to the executive team for handling.
Application Security
Role: Security Architect
Responsibilities: Ensuring that internally developed applications meet security standards. This means minimizing the number of breaches due to the application, ensuring these applications pass security audits, and teaching developers to follow best practices of secure development.
security culture
the way members of an organization think about and approach security issues
healthy security culture
When employees are invested in the organization’s security and understand how to “behave securely,”
steps for developing a security culture framework:
Step One: Measure and Set Goals
Step Two: Involve the Right People
Step Three: Create an Action Plan
Step Four: Execute the Plan
Step Five: Measure Changes
defense in depth.
a concept in which multiple defenses are used to secure a resource.
Layering security controls in the security design framework
security control
any system, process, or technology that protects the confidentiality, integrity, and accessibility of a resource.
Administrative control
Requiring employees to adhere to training guidelines.
Technical control
Forcing developers to authenticate using SSH keys rather than passwords is an example
Physical control
Protecting a building by requiring keycard access is an example
Preventive controls
prevent access with physical or logical/technical barriers. Keycard access is a preventive control.
Deterrent controls
discourage attackers from attempting to access a resource.
Detective controls
do not protect access to a confidential resource. Rather, they identify and record attempts at access.
Corrective controls
attempt to fix an incident and possibly prevent reoccurrence.
Compensating controls
do not prevent attacks, but restore the function of compromised systems.
Access control
the practice of controlling who can access which resources
Control diversity
the use of different security control types, such as technical controls, administrative controls, and physical controls.
redundancy
the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system performance
allows your network to remain in service by providing alternative data paths or backup equipment
single points of failure (SPOF)
any non-redundant part of a system that, if dysfunctional, would cause the entire system to fail.
-essentially a flaw in the design, configuration, or implementation of a system, circuit, or component that poses a potential risk because it could lead to a situation in which just one malfunction or fault causes the whole system to stop working