Chapter 1 - Security Governance Through Principles And Policies Flashcards
Seclusion
Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement confidentiality protections.
Levels of government/military classifications
Top Secret Secret Confidential Sensitive but unclassified Unclassified
U.S. Can Stop Terrorism (reverse order of uppercase letters)
Confidential vs Private data in commercial business/private sector classification
Confidential data is company data whereas private data is data related to individuals.
Next step in threat modeling is to perform reduction analysis. What is the five key concepts in the decomposition process?
Trust Boundaries: Any location where the level of trust or security changes
Data Flow Paths: The movement of data between locations
Input Points: Locations where external input is received
Privileged Operations: Any activity that requires great privileges than of a standard user account or process, typically required to make system changes or alter security
Details about Security Stance and Approach: The declaration of the security policy, security foundations, and security assumptions.
Basics of Threat Modeling
Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. Key concepts include assets/attackers/software, STRIDE, diagramming, reduction/decomposing, and DREAD.
Microsoft developed a threat categorization scheme known as STRIDE. What components does STRIDE include? What does it used for?
Spoofing Tampering Repudiation Information disclosure Denial of Service Elevation of privilege
STRIDE is often used in relation to assessing threats against applications or operating system.
Compare serial configuration protection to parallel configuration protection.
Layering, AKA as defense in depth, is simply the use of multiple controls in a series.
Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow.
Three sub-dimensions of quality in COBIT 5
Three sub-dimensions of quality in COBIT 5 are as follows:
- Intrinsic quality – The extent to which data values are in conformance with the actual or true values. It includes
Accuracy – The extent to which information is correct or accurate and reliable
Objectivity – The extent to which information is unbiased, unprejudiced and impartial.
Believability – The extent to which information is regarded as true and credible.
Reputation – The extent to which information is highly regarded in terms of its source or content. - Contextual and Representational Quality – The extent to which information is applicable to the task of the information user and is presented in an intelligible and clear manner, reorganizing that information quality depends on the context of use. It includes
Relevancy – The extent to which information is applicable and helpful for the task at hand.
Completeness – The extent to which information is not missing and is of sufficient depth and breadth for the task at hand
Currency – The extent to which information is sufficiently up to date for task at hand.
Appropriate amount of information – The extent to which the volume of information is appropriate for the task at hand
Consistent Representation – The extent to which information is presented in the same format.
Interpretability – The extent to which information is in appropriate languages, symbols and units, with clear definitions.
Understandability - The extent to which information is easily comprehended.
Ease of manipulation – The extent to which information is easy to manipulate and apply to different tasks. - Security/accessibility quality – The extent to which information is available or obtainable. It includes:
Availability/timeliness – The extent to which information is available when required, or easily available when required, or easily and quickly retrievable.
Restricted Access – The extent to which access to information is restricted appropriately to authorize parties.
COSO’s main objectives and purpose
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators.
COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives. These include: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring.
The COSO internal control model has been adopted as a framework by some organizations working toward Sarbanes–Oxley Section 404 compliance.
COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective.
COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures.
Its main purpose is to help ensure fraudulent financial reporting cannot take place in an organization.
Acceptable Use Policy
Unless you specifically define how users interact with your information technology assets you cannot legally punish them when they damage, steal or otherwise abuse the systems and their information.
Access to critical systems is a serious responsibility and it is vital as a manger to strictly define how employees are to interact with the information.
If you do not define their responsibilities with your organization’s data you cannot legally hold them responsible when they abuse, damage or steal it.
There are canned AUP policies you can download from various websites which are pretty good starting points and you can customize them to meet the needs of your organization.
Who is responsible for restricting and monitoring access of a data user?
Security Administrator
For your exam you should know below roles in an organization
Data Owners These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.
Data Custodian or Data Steward These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.
Security Administrator - Security administrator are responsible for providing adequate physical and logical security for IS programs, data and equipment.
Data Users Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.
Effective security policy
An effective information security policy should be designed with a long-term focus.
five key principle that forms the core of the COBIT5 framework
Meeting Stakeholder Needs It is critical to define and link enterprise goals and IT-related goals to best support stakeholder needs.
Covering the Enterprise End to End Companies must shift from managing IT as a cost to managing IT as an asset, and business managers must take on the accountability for governing and managing IT-related assets within their own functions.
Applying a Single Integrated Framework Using a single, integrated governance framework can help organizations deliver optimum value from their IT assets and resources.
Enabling a Holistic Approach Governance of enterprise IT (GEIT) requires a holistic approach that takes into account many components, also known as enablers. Enablers influence whether something will work. COBIT 5 features seven enablers for improving GEIT, including principles, policies and frameworks; processes; culture; information and people.
Separating Governance From Management Governance processes ensure goals are achieved by evaluating stakeholder needs, setting direction through prioritization and decision making; and monitoring performance, compliance and progress. Based on the results from governance activities, business and IT management then plan, build, run and monitor activities to ensure alignment with the direction that was set.
Due care vs due diligence
Due diligence is performing reasonable examination and research before committing to a course of action. Basically, “look before you leap.” In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be “haphazard” or “not doing your homework.”
Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is “negligence.”
Due care - Employees should exercise due care within office environments and especially during travel. Any loss or theft of a mobile device must be treated as a security breach and reported immediately in accordance to security management policies and procedures.
In summary, Due Diligence is Identifying threats and risks while Due Care is Acting upon findings to mitigate risks
EXAM TIP:
The Due Diligence refers to the steps taken to identify risks that exists within the environment. This is base on best practices, standards such as ISO 27001, ISO 17799, and other consensus. The first letter of the word Due and the word Diligence should remind you of this. The two letters are DD = Do Detect.
In the case of due care, it is the actions that you have taken (implementing, designing, enforcing, updating) to reduce the risks identified and keep them at an acceptable level. The same apply here, the first letters of the work Due and the work Care are DC. Which should remind you that DC = Do correct.
Different focus between TCSEC and ITSEC?
TCSEC focused on confidentiality while ITSEC added integrity and availability as security goals.