Chapter 1 Flashcards
Name 5 architecture frameworks
- Zachmann (what/where/when/who in columns and system archtectes, business managers etc in rows)
- TOGAF - views of business , application, technology, data
- DoDAF - systems, processes, personnel in concerted manner
- MoDAF - data in right format to right people
- SABSA - Assets, motivation, people, process, location and time in columns (similar to zachmann)
For an enterprise security architecture to be successful in development and implementation
- Strategic alignment
- Business enablment
- Process enhancement
- Security effectiveness
What are the principles that COBIT is based on
- End to end enterprise coverage
- Single integrated framework
- Holistic approach
- Separating governance from management
How many goals does COBIT have
17 enterprise goals
17 IT related goals
What does COBIT ask?
Simple question – “Why are we doing this”. This should lead to an IT Goal that is tied to an enterprise goal that is tied to a stakeholder need
What is the misconception with COBIT
It is a misconception that COBIT is purely security focussed
What does NIST 800-53 provide
Security and Privacy controls for federal information systems and organisation
How many control categories does NIST have
18 control categories, categorised into (MOT)
Management,
Operational and
Technical
How is COSO - IC Integrated Framework majorly different?
It works at strategic level instead of IT
Deals with fraud through corporate governance
How many and what are the control principles in COSO IC Integrated Framework?
17 internal control principles, grouped into 5 components
- Control environment
- Risk Assesment
- Control Activities
- Information and communication
- Monitoring activities
SOX is based on which security controls framework
COSO IC Integrated framework
What is the difference between NIST 800-53/COBIT etc and Zachmann/SABSA
former are security controls, later are enterprise architectures
CMMI Level 0
Non existent management
CMMI Level 1
Unpredictable processes
CMMI Level 2
Repeatable processes
CMMI Level 3
Defined processes
CMMI Level 4
Managed Processes
CMMI Level 5
Optimised processes
ISO 27001
ISMS requirements
27002
Code of practice for information security management
27003
ISMS implementation
27004
ISMS measurement
27005
Risk Management
27006
Certification body requirements
27007
ISMS auditing
27008
Guidance for auditors
27011
Telecommunications organization
27014
Information security governance
27015
Financial sector
27031
Business continuity
ISO 27016 to 27030
No Standard
ISO 27032
Cybersecurity
ISO 27033
Network security
ISO 27034
Application Security
ISO 27035
Incident management
ISO 27037
Digital evidence collection and preservation
ISO 27099
Health organizations
What is the Difference between ISO 27001 and Enterprise security frameworks:
ISO 27001 is general in nature
- Can be difficult to know how to implement in a specific environment of a company
- That is where the enterprise security architecture comes into play
How are security controls categorised in enterprises
APT
Administrative
Physical
Technical
How are security controls categorised in government
MOT
Management
Operational
Technial
Describe the frameworks, controls standards in the analogy of a house
ISO/IEC 27001 - policy level (description of house)
Security Enterprise Framework - architecture level (arch of house)
Blueprints - detailed descriptions e.g window types
Control Objectives - building specification codes
Define Risk
Likelihood of threat source exploiting vulnerability and its business impact
What are the 6 functionalities that Controls provide
Detective
Preventive
Corrective
Deterrent
Recovery
Compensating
Which is better between detective, corrective, preventive
Most productive to use a preventive model followed by detective, correcitve and recovery ( stop any troble before it starts but be able to react and combat it if it does happen)
If detective control identifies that means preventive failed
Hence corrective is necessary to ensure next time it is prevented
How to map functionality to a control ?
try to think of the MAIN reason why the control was put in place
Eg.
A firewall was put in place to prevent an intruder
Auditing of logs is post facto so it is detective
Backup helps to restore data hene it is recovery
Computer images can be reloaded in case of corruption hence corrective
Why is compensating control required
it is either
Affordable
Allows specifically required business functionality
What are the 8 OECD principles for privacy protection and transborder flow of data
(Quality Cleaning of Personal Underwear using SOAP)
- Collection limitation principle: limited collection, in lawful means, with knowledge of user
- Data Quality principle: data is complete, current and relevant
- _P_urpose specification: users notified during collection, data used only for that purpose
- Use limitation: use other than stated only by explicit agreement of user
- Security safeguards: put safeguards to protect loss, modification, damage
- _O_penness: communicate standards, practices etc openly
- Individual participation: user should know about data held by org and correct erroneous data
- Accountability: organizations should be accountable for complying
What are the 7 Safe Harbor principles
What is the Wassenar arrangement
implements export control for “conventional arms and dual use goods and technologies” . Cryptography falls under dual-use
What are the main types of legal systems
- Civil (code) Law System
- Common Law System
- Customary Law
- Religious Law
- Intellectual property law
What are the major features of CIVIL (Code) LAW system
- Most widespread
- Based on rules instead of precedent
- Used in continental Europe
- Lower courts not compelled to follow higher courts decision
What is common law system based on?
- Precedent
- Hierarchy of courts
What are the subcomponents of common law system?
- Criminal Law
- Civil/Tort Law
- Administrative (Regulatory Law)
What is the difference between Criminal Law and Civil/Tort Law
- guilty/not guilty :: liable/not liable
- By government :: By private parties
3: for harm to society :: for damage to individual/frm
What is the role of administrative law within the common law system
- Address international trade / manufacturing
- Deal with regulatory standards that regulate performance and conduct
what are the components of intellectual property law?
Trade Secret
o Proprietary to a company and important for its survival and profitability
Copyright
o Protects the form of expression than the subject itself
o Computer programs can be protected as literary works
Trademark
o Used to protect a word, name, symbol, sound, shape, colour or combination
Patent
o Is the strongest form of intellectual property protection
What is the use of Digital Millenium Copyright act?
criminalises production and dissemination of technology , devices or services that circumvent access control measures that are put into place to protect copyright material
What are the drivers for privacy laws
- Data aggregation and retrieval happening more often
- Cross border movement of data
- convergent technologies
Name well known privay laws
- Federal Privacy Act 1974
- FISMA 2002
- Department of veterans affairs, infomration security protection
- Health insurance portability and accountability
- Health information technology for economic and clinical health (HITECH)
- USA Patriot Act (eases restrictions of law enforcement to access privacy data)
Name well known laws for financial protection
- GLBA (financial services modernisation)
- Personal information protection and electronic documents
- PCI DSS
- Economics espionage act 1996
What does the Financial Services Modernisation Act (GLBA) include
- Financial Privacy Rule (consumers should be informed about what is collected, who is it shared with, how is it protected and option to opt out of sharing it)
- Safeguards Rule (should have written information security rule)
- Pretexting protection (Requires notification only if institution breached determines that the breached data has been or will be misused)
What are the main requirements of PCI DSS
(12 main requirements broken into 6 categories)
§ Build and maintain a secure network and systems
§ Protect cardholder data
§ Maintain a vulnerability management program
§ Implement strong access control measures
§ Regularly monitor and test networks
§ Maintain an information security policy
What is the use of Economics Espionage Act 1996
Protects corporations IP (rather than consumer privacy)
What is US definition of PII
Combination of first and last name with any of the following
- Social security number
- Drivers license number
- Credit or debit card number with security code or PIN
Differentiate the role of Security Policy, Standards/guidlnes and Controls
Security policy – provides the foundation
Security procedures/standards/guidelines/baselines – provides the framework
Security controls (admin/physical/technical or Mgmt/opetations/technical) – used to fill in the framework to provide a full security program
What are the Important characteristics of good security policy
Easy to understand
Driven by business objectives
Integrates security into all functions and processes
Supports legislation
Is a live document, reviewed, changed as needed
Is forward looking
Should be technology and solution independent
Give examples of issue specific and system specific policies
Ex of issue specific policy could be email usage
Ex of system specific policy is how a DB containing sensitive information should be protected
What are the features of advisory policies?
- Advises of acceptable behaviour
- informs ramifications of non compliance
Why is ISO 27001 considered a standard?
Because it was setup by a standards body
Identify the 4 phases of risk management process
- Identify the risk
- Assess the risk
- Reduce risk to acceptable level
- Maintain risk at that level
What are the three tiers of risk management defined by NIST SP 800-39
Organisation Tier
Business Process Tier
Information systems Tier
List common and important concepts in risk management
Acceptable risk should be defined by senior management
- Risk assessment procedures should be documented
- Procedure for identifying risk
- Procedure for mitigating risk
- Financial support from senior management
- Mapping of legal and regulations to controls
- Metrics and performance indicators development
What is threat modelling
process of describing feasible adverse effects on our assets caused by threat sources
What is the difference between threat modelling and Risk assesment
Threat Modelling allows an organization to understand what is in the realm of probable not just possible
What is the triad of threat model
The heart of a threat model is the triad of vulnerability, feasible attack, capable threat actor.
What is the tool used in Threat modelling
Attack Tree
Kill-chain/Attack-chain (specialised form of attack tree)
What is the relationship between risk assesment and risk management
Risk assesment is a tool to perform risk management
(it is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls)
What is done after risk assement
Analysis of the results
Why is risk analysis used?
To ensure that security is
- cost effective
- timely
- relevant
- responsive
What are the 4 main goals of risk analysis
- Identify assets and their value to the organization
- Identify vulnerabilities and threats
- Quantify the probability and business impact of these potential threats
- Provide an economic balance between the threat and cost of countermeasure
Put the following three in perspective
Risk management
Risk assesment
Risk analysis
Risk management is overall thought/concept/process
Risk assesment is a tool used for risk management (identify, threats , vulnerabilities and their impacts)
Risk analysis is done after risk assesment and used to ensure that security is cost effective, timely, relevant and responsive
List the common Risk Assesment guides/ methodologies
- NIST SP 800-30 Rev 1
- FRAP
- OCTAVE
- AS/NZS 4360
- ISO/IEC 27005
- FMEA
- FAULT TREE ANALYSIS
- CRAMM
What are the steps in NIST SP 800-30 rev 1
a. Identify threat sources and events
b. Identify vulnerabilities and predisposing conditions
c. Determine likelihood of occurrence
d. Determine magnitude of impact
e. Determine risk
f. Communicate results
g. Maintain assesment
What are the key elements of FRAP
FRAP = Facilitated Risk Analysis Process
- is a qualitative process (not quantitative)
- is dependent on experience of assesor
- generally focussed on one service or application at a time
What is OCTAVE
Operationally Critical Threat, Asset and Vulnerability evaluation
what are the key features of OCTAVE
- self directed team approach through workshop
- scope encompasses multiple systems and applications
What are the key features of AS/NZS 4360
- Not focussed on security
- focussed on health of company from business viewpoint
- includes financial, human safety etc
What is ISO/IEC 27005
- Carrying out risk management in the framework of overall ISMS
- Deals with IT and other softer security issues (documentation/personnel/training etc)
How does FMEA work
Failure - how things fail (not what)
Effect analysis - (impact of failure)
Most useful as a survey method to identify major failure modes in a system
NOT useful for complex failure nodes across systems and subsystems
What is CRAMM in reference to risk assesment
(Central computing and telecommunications agency risk analsyis and management method)
Has questionnaires, formulas, dependency modeling etc all in automated format
What tools to use when integrate risk assessment with overall ISO 27001 security program
ISO IEC 27005
OCTAVE
What assesment tool is best for focussing on IT Security risks
NIST SP 800-30
What risk assement tool to use if time and budget are limited
FRAP
What risk assesment tools if detailed analysis is required
FMEA
Faul-tree
What is the formula used for quantitative risk analysis
EF = exposure factor (% off loss a realised threat can have)
SLE = single loss expectancy
AV = asset value
ARO = annualised rate of occurence
SLE = AV X EF
ALE = SLE X ARO
What is the formula for Cost/benefit calculation for a control
(ALE before implementing safeguard) – ( ALE after implementing safeguard) – (Annual cost of safeguard) = value of safeguard to the company
What are the common Risk Management Frameworks?
NIST 800-37r1 (Specific to IT risks)
ISO 31000-2009 (focus on uncertainty, is generic)
ISACA Risk IT (bridge gap between IT and generic. also integrates with COBIT)
COSO Enterprise Risk Management - Integrated framework (generic framework, superset of COSO IC Integrated framework)
what are the 6 steps of NIST risk management framework
NIST Risk Management includes
- Categorise information systems (identify systems, sub-systems and boundaries)
- Select security controls (assessment, analysis, selection)
- Implement security controls (documentation is a key part)
- Assess security controls (determines whether controls are effective)
- Authorise information systems (get approval to integrate IS into broader architecture)
- Monitor security controls (ongoing effectiveness, changes to environment etc)
formulat for total risk
total risk = threats X vulnerability X Asset value
formulas for residual risk
total risk X control gaps = residual risk
OR
Total risk - countermeasures = residual risk
these are not mathematical formulas , only representative
Disaster recovery vs business continuity management
DR - minimise effects of disaster , more IT focusssed
BC - longer outage, broader coverage
What are the different standards addressing BCP
NIST SP 800-34
ISO IEC 27031:2011 (focussed on IT)
ISO 22301:2012 , broader includes business (against which organisations seek certification)
Business continuity institute Good practice guidelines (GPG)
What are the 7 steps of NIST SP 800-34
- Develop BCP policy
- Conduct BIA (vuln,threat,impact,risk)
- Identify preventive controls
- Create contingency strategies
- Develop IT contingency plan
- Plan testing, training and exercises
- Plan maintenance
Why is BCP required
to reduce financial loss by improving the companys ability to recover and restore operations.
In case of NGOs/military/govt etc BCP is to ensure they can still carry out their critical tasks
In BCP, what should be the risk mitigation measures be geared towards
It should be geared towards those things that might most rapidly disrupt critical business processes and commercial activities.
what is the main goal of business continuity
Restore normal operations by spending least amount of money and resources
What are the BCP project components?
BCP Coordinator
BCP Committee (Biz, cxo, IT, security, PR, Legal)
Contents of BCP Policy
(scope, mission, statement, principles, guidelines, standards)
What is Business Impact Analysis
It is a functional analysis that starts with collection of data across the organisation
Upon completion of data collection phase, the BCP committee needs to conduct BIA to establish which processes , devices or operational activities are critical
To what factors should the BCP committee map the identified threats?
a. Maximum tolerable downtime and disruption for services
b. Operational disruption and productivity
c. Financial considerations
d. Regulatory responsibilities
e. Reputation
What should BCP related risk assesmente typically include
- Vulnerabilities for all of the organizations most time sensitive resources and activities
- Threats and hazards to the organizations most urgent resources and activities
- Single points of failure
- Outsourced vendors
- Skills related risks
What is the formula for Risk in BCP
Risk = Threat X Impact X Probability
What is a key factor in BIA
Time
risk mitigation measures should be geared toward those things that might most rapidly disrupt critical business processes and commercial activities
What are the steps involved in BIA in relation to BCP
(Post Graduate Course Requires Lotof Very Rigorous Documentation)
- Select individuals/people for interview
- Create data gathering techniques
- Identify company’s critical business functions
- Identify resources these functions depend on
- Calculate how Long these functions can survive without these resources
- Identify vulnerabilities and threats to these functions
- Calculate the risk for each different business function
- Document findings and report them to management
What is the standard for business continuity management
ISO/IEC 22301
NFPA business planning framework
- Project Initiation and management (always first step is to do project management)
- Risk evaluation and control (since this is Business planning framework, first risk needs to be evaluated)
- Business impact analysis (once risk is evaluated, its business impact is to be analysed)
- Develop Business continuity strategies (once business impact is known, Biz continuity strategy is to be developed)
- Emergency response and operations
- Business continuity plan development and implementation (actual implementation)
- Awareness and Training programs (BCP wont work unless users are aware)
- Maintaining and exercising BCP (document control, drills etc ie operations phase of BCP)
- Public relations and crisis communications
- Coordination with public authorities
What is the NIST Cybersecurity framework split into
Functions
Categories
Sub Categories
What is the difference betwneen
NIST SP 800 37r1
NIST SP 800 30
NIST SP 800 53
NIST SP 800 37r1 : Risk Management framework
NIST SP 800 30: Risk assement framework
NIST SP 800 53 : Controls for IT Security
What are the 5 functions in NIST Cybersecurity framework
Identify
Protect
Detect
Respond
Recover
What are the categories within the Identify function of NIST CSF
Asset management
Business environment
Governance
Risk assesment
Risk management
Supply chain risk management
What are the categories within the Protect function of NIST CSF
Identity management and Access control
Data security
Protective technology
Information protection processes and procedures
Awareness training
What are the categories within the DETECT function of NIST CSF
Detection Processes
Anomalies and Events
Security continuos monitoring
What are the categories within the RESPOND function of NIST CSF
Analysis
Mitigation
Communication
Improvement
What are the categories within the RECOVER function of NIST CSF
Recovery planning
Improvements
Communications