CCSP Domain 6: Policies, Standards, Baselines and Guidelines Flashcards
What is a policy?
broad statement of management intent
Is policy compliance mandatory?
yes
What are the generalized statements about the cybersecurity objective included in information security policy?
- stetement of importance of cybersecurity to the organization
- requirements that all staff and contracts take measures to protect the confidentiality, integrity and availability of information and information systems
- statement of the ownership of information created and/or possessed by the organization
- designation of CISO or other individual as the executive responsible for cybersecurity issues
- delegation of authority granting the CISO the ability to create standards, procedures and guidelines that implement the policy
Who approves policies?
CEO; requires approval from senior management
What should cybersecurity managers do when developing new security policies in the relation to the already existing policy development mechanisms?
should align their work with any other policy development mechanisms that may exist within their organization; aligning with existing procedures makes it easier for the new initiative to track action
What key principles should be followed by cybersecurity managers when working on policy development initiatives? (4)
- obtain input from all relevant stakeholders
- follow the chain of command
- accomodate the organizational structure
- meet internal and external requirements
Do security policies contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm?
no, this type of detail would normally be found in a security standard
All policies within the organization should include a section that includes which elements?
- policy maintenance
- policy enforcement
- policy enforcement
The baseline should cover what systems?
as many systems throughout the organization as possible; more systems that are included in the baseline, the more cost-effective and scalable the baseline is
What do standards provide?
mandatory requirements describing how an organization will carry out its information security policies; may include specific configuration settings used for OS’es
Who approves standards in an organization?
standards are usually approved at lower organizational level than policies, thus they change more frequently
What are procedures?
detailed, step-by-step processes that individuals and organizations must follow; ensure consistent process for achieving a security objective
Is compliance with procedures mandatory?
yes
What is the purpose of guidelines?
provide best practices and recommendations related to a given concept, technology or task
Is compliance with guidelines mandatory?
no, it aims to serve as a helping hand
What do many exception processes require?
use of compensating controls to mitigate the risk associated with exceptions to security standards
PCI DSS includes one of the most formal compensating control process in use today and sets out 3 criteria that must be met for a compensating control to be satisfactory. What are these criteria?
- the control must meet the intent and rigor of the original requirement
- the control must provide similar level of defense as the original requirement such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against
- the control must be “above and beyond” other PCI DSS requirements
Are compansating controls intended to be permanent?
no, remediation plans should be developed to bring the organization back into compliance with the letter and intent of the original control
What is the common baselining method?
imaging
What is versioning?
using a labeling or numbering system to track changes in updated versions of baseline (image, application, system, etc.)
How can be baselines applied?
to a single VM image or to a VM template, that is then used to deploy all VMs
What is hardening?
configuration of a machine into a secure state through application of a configuration baseline
Who can offer hardened VM images?
- customer-defined
- CPS-defined
- 3rd party, often available through a cloud marketplace
Who offers hardened VM images in CSP marketplaces?
Center for Internet Security (CIS)
What is a control?
high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation
What does benchmark contain?
contains security recommendations for a specific technology, such as an IaaS VM; describe configuration baselines and best practices for securely configuring a system
What is a baseline?
implementation of the benchmark on the individual service
How is control expressed?
as a benchmark
How is benchmark implemented?
through a baseline
What is the main purpose of benchmarks?
to ease process of securing a component, reduce footprint and minimize risk of security breach
What are the sources from where baselines can be obtained?
- Vendor-Supplied Baselines
- vendors provide configuration guideliness
- DISA STIGs
- U.S. Defense Information Systems Agency (DISA) produces baseline documents known as Security Technical Implementation Guides (STIGs); may be too restrictive for businesses
- NIST Checklists
- National Institute of Technology and Standards maintains a repository of configuration checklists for various OS and application software
- CIS Benchmarks
- Center for Internet Security publishes baseline guides for a variety of OSes, applications and devices
- priced based on environment size
Baselines are composed of individual settings called what?
Configuration Items (CI)
What organizations provide Windows server security baselines?
Center for Internet Security, Microsoft, and the National Institute for Standards and Technology
What are CIS security controls?
security baseline adopted by many organizations
What term describes a general-purpose map of the systems and networks used in an organization?
baseline
