Chapter 2 - Planning and Policy

Question 1

How much of your time, if done properly, should Planning and Protection take up, compared to Response?

Answer 1

If all is done well with planning and protection, the two should take up about 90% of your time.

Question 2

What is the hardest, and most important, part of information security planning?

Answer 2

Management is the hardest and most important part of information security. Security is a process, not a product.

Question 3

What is comprehensive security?

Answer 3

Comprehensive security is the state of having closed off all possible avenues of attack. This is pretty damn tricky, but very important.

Question 4

What is weakest link failure?

Answer 4

Weakest link failure is the concept that it only takes one failure in any component or part of a security process to invalidate security efforts.

Question 5

How is it best to manage security?

Answer 5

Security management must, MUST be formalized and continuous.

Question 6

When should security be factored into a new system?

Answer 6

Security should be considered at the very beginning of the design of a system, within the SDLC.

Question 7

What’s the difference between police and security?

Answer 7

Security prevents “crime”. Police punish it more often than not, but rarely prevent.

Question 8

How can IT security be planned?

Answer 8

IT security can be planned by identifying current security gaps, identifying the threat environment, laws and standards that impact security, and then identifying the corporate resources that need to be protected, calculating the worth of a resource compared to the cost of protecting it. The ones that provide the most return get protected first, and the rest get coverage as cycles move forward.

Question 9

What are the benefits and downsides of having IT security located within IT?

Answer 9

With IT security located within IT, there will be a lot of technical compatibility, but it makes it rather hard for “whistle-blowing” on IT. It’s recommended that security be placed outside of IT, for that reason, although there are downsides (silo’d knowledge).

Question 10

Why is it important to have “top management support”?

Answer 10

Top management support brings with it a significant increase in budget, but just as important, it also brings a good example to follow; if top management isn’t following ITSec, then no one else will. The inverse of this is true.

Question 11

What is the best way to treat users? Or rather, how not to treat them?

Answer 11

THE USER IS NOT STUPID, JUST UNDER-EDUCATED.

Question 12

What is Single Loss Expectancy? How is it calculated?

Answer 12

Single Loss Expectancy (SLE) is the expected loss to an organization in the event of a compromise of a specific asset. This is calculated by taking the Asset Value (AV) and multiplying it by the Exposure Value (EV), which is the percentage of loss in value an asset suffers from being compromised.

Question 13

What is Annualized Loss Expectancy? How is it calculated?

Answer 13

Annualized Loss Expectancy (ALE) is the expected loss per year that an asset is projected to have, based on the probability of a compromise. This is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO, the odds of a compromise happening in a year).

Question 14

What is classic risk analysis, and what are some problems with it?

Answer 14

Classic risk analysis takes a look at the Annualized Loss Expectancy and compares it to the annualized cost of the countermeasures, and determines the total value of the countermeasure (whether or not it’s cost-effective to prevent the loss).
This is good, but there are problems. Attack and defense costs will need to be calculated with discounted values (net present value), depreciation, that sort of thing. Also, not all compromises involve actual “loss” of data. Finally, the actual ARO is all but impossible to predict accurately.

Question 15

For what reasons is security management hard?

Answer 15

Security management is hard because it is abstract. That’s a lot of it. Also, the idea that all avenues of attack must be covered, and that if even one fails, they’re all basically gone, well. That doesn’t make it any easier. Finally, companies usually have a lot to protect.

Question 16

List the three stages in the plan–protect–respond cycle. Is there a sequential flow between the stages?

Answer 16

Plan, protect, respond. Simple enough. There actually is not a sequential flow, all three stages are occurring at once, and feed into one another.

Question 17

Of the plan-protect-respond cycle, which phase consumes the most time?

Answer 17

The wide majority of time is spent on the protection phase.

Question 18

What is the definition of protection?

Answer 18

Protection is the plan-based creation and operation of countermeasures.

Question 19

What is the definition of response?

Answer 19

Response is recovery according to plan.

Question 20

What is the key factor to making security an enabler rather than a frustration?

Answer 20

To make security an enabler over a frustration, it is important to make security an early part of any given project.

Question 21

In developing an IT security plan, what would a company do first?

Answer 21

The first step of developing an IT security plan is to first identify the existing security, weaknesses and strengths.

Question 22

What are the major categories that drive IT security?

Answer 22

The major categories that drive IT security are the threat environment, laws and regulations, corporate structure, mergers, etc.

Question 23

When can the Federal Trade Commission (FTC) act on companies?

Answer 23

The FTC can act on companies when they fail to take reasonable precautions to protect private information.

Question 24

What is the usual title of the manager of the security department?

Answer 24

The manager of the security department is generally called the Chief Security Officer (CSO), or Chief Information Security Officer (CISO).

Question 25

Why is the HR department important to security?

Answer 25

HR is important to security because it is responsible for training, including security training. It also handles hiring and firing employees, and needs to work alongside security throughout these processes.

Question 26

What are the three main types of corporate auditing units?

Answer 26

The three types of corporate auditing units are:
Internal Auditing - Examines organizational units for efficiency, effectiveness, and adequate controls.
Financial Auditing - Examines financial processes for efficiency, effectiveness, and adequate controls.
IT Auditing - Examines processes involving IT for efficiency, effectiveness, and adequate controls.

Question 27

What is a Managed Security Service Provider?

Answer 27

A MSSP, or Managed Security Service Provider, is a system that takes event logs for a company’s network and monitors it for suspicious events, only notifying only for major incidents requiring events.

Question 28

What are the two main advantages of using a Managed Security Service Provider?

Answer 28

The main two benefits of using a managed security service provider are that an MSSP is experienced in dealing with threats and attacks, compared to an internal department, who might deal with one or two a year.
The other main benefit is independence. An MSSP can hold accountable everyone in a company, including IT and security staff.

Question 29

What security concerns are not usually outsourced?

Answer 29

Security planning and policy are generally not outsourced, as they are too vital and company-specific.

Question 30

Why is information assurance a poor name for IT security?

Answer 30

Information assurance leads to the idea that a company can guarantee the confidentiality of information, and that is not true.

Question 31

Why is reasonable risk the goal of IT security?

Answer 31

Reasonable risk is preferable because absolute security isn’t possible, and getting close to it can impact performance and be unpleasant.

Question 32

What are some negative consequences of IT security?

Answer 32

Some negative consequences of IT security would be psychological and productivity costs, and extensive expense.

Question 33

What is exposure factor?

Answer 33

Exposure factor is the percentage of an asset’s value that is lost in a breach.

Question 34

What is single loss expectancy?

Answer 34

Single loss expectancy is the amount of damage that would be sustained to a specific asset in a breach.

Question 35

What is the annualized probability/rate of occurrence?

Answer 35

The annualized rate of probability/occurrence is the expected number of times an attack will succeed in a year. Notoriously inaccurate.

Question 36

What is the annualized loss expectancy?

Answer 36

The annualized loss expectancy is how much a company stands to lose from an asset due to attacks in a given year.

Question 37

What are some flaws with classic risk analysis?

Answer 37

Some flaws in classic risk analysis are:
Uneven Multi-Year Cash Flows - Security countermeasures tend to get cheaper after their first year, and their benefits tend to increase. Over time, this inverts.
Total Cost of Incident - It’s damn hard to properly calculate loss of “value” in a breach.
Many-to-Many Relationships - Classic risk analysis assumes there’ll be one countermeasure to one asset; shit no, firewall protects everyone, baby. Basically, one countermeasure can work on multiple assets at once.

Question 38

What are four ways of responding to risk?

Answer 38

The four methods of responding to risk are:
Risk Reduction - Adopting active countermeasures to risks. 
Risk Acceptance - Understanding risks and doing nothing, generally when the cost of a countermeasure is greater than the damage that the risk could inflict.
Risk Transference (Insurance) - As long as reasonable countermeasures are in place, insurance will cover damages of risks.
Risk Avoidance - Flat-out not taking an action that seems too risky. "Kills" innovation, though.

Question 39

What is technical security architecture?

Answer 39

Technical security architecture is all of a company’s technical countermeasures and how those countermeasures are organized into a complete system of protection.

Question 40

Why is technical security architecture needed?

Answer 40

Technical security architecture allows a company to have a good understanding of the structure of their security, and allows them to see areas of weakness when compared to the security needs of the company.

Question 41

Why do firms not immediately replace their legacy security technology?

Answer 41

There are many reasons that a company might not replace its legacy security technology immediately; expense, technical complexity, difficulty of planning and implementation, and so on.

Question 42

What is the difference between the “Defense In Depth” philosophy and “Weakest Link”?

Answer 42

Defense in Depth refers to the idea of having multiple different, independent and overlapping countermeasures in place, so that if one fails, the others remain up. Weakest link refers to one countermeasure that is itself composed of multiple interdependent components.

Question 43

Why are central security management consoles dangerous?

Answer 43

A central security management console would give an illicit user the ability to do massive damage.

Question 44

Why are central security management consoles desirable?

Answer 44

Having a centralized location to manage security makes management and coordination considerably easier. This prevents things like inconsistent policies from being implemented.

Question 45

Why is border management important?

Answer 45

Border management is important because it keeps networks properly secured against the rest of the world.

Question 46

Why isn’t border management a complete security solution?

Answer 46

Border management (firewalls ‘n such) aren’t complete solutions because they don’t adhere to defense-in-depth.

Question 47

Why is remote connection from home a dangerous thing?

Answer 47

Often, connecting remotely from home involves using the users’ home computers, which can have god-only-knows-what on them, and lets that stuff onto the secured network.

Question 48

Why are interorganizational systems dangerous?

Answer 48

Interorganizational systems are dangerous because neither of the two companies can enforce their security standards on the other, or shit, even learn about the other’s security in general, leaving weaknesses.

Question 49

What’s so great about centralized security management?

Answer 49

Centralized security management is important because it allows for policies to be deployed easily from one or a few secure points, consistently, across all devices, immediately.

Question 50

What is a policy?

Answer 50

A policy is a statement of what should be done under certain circumstances. Note, what should be done, not how it should be done.

Question 51

What is implementation?

Answer 51

Implementation is how a policy is performed.

Question 52

What’s the difference between policy and implementation?

Answer 52

A policy sets the general goal and vision of what should occur under circumstances, and is generally static. Implementation can change as the required work to enact that policy may change.

Question 53

What are the categories of security policy?

Answer 53

These are the categories of security policy:
Corporate Policy - This is the topmost level of security policy, defining a firm’s stance on security. It should be brief and to the point.
Major Policy - More detailed than the corporate policy, the major policy are broad, but detailed. Things like email policies, hiring and termination policies, etc.
Acceptable Use Policy - An AUP details important points of a major policy as it applies specially to users, in a legally binding way.
Policies for Specific Resources/Countermeasures - The most detailed, these are necessary to fill in the ambiguity still left by Major Policies when it comes to individual needs.

Question 54

What is the difference between standards and guidelines?

Answer 54

Standards are mandatory implementation guidance, and they must be met. Guidelines are discretionary. The only requirement of a guideline is that it must be considered, not followed.

Question 55

When are guidelines appropriate?

Answer 55

Guidelines are appropriate in complex or uncertain situations where rigid standards might get snarled up. Think of situations where exceptions to the hard-and-fast rule might pop up from time to time.

Question 56

What is implementation guidance?

Answer 56

Implementation guidance is a way of limiting the “discretion” of implementers, trying to avoid bad implementation decisions when implementing policies, and trying to keep some consistency in implementation.

Question 57

What are some types of implementation guidance?

Answer 57

Some forms of implementation guidance are as follows:
Procedures - Procedures are highly detailed instructions as to the actions that must be taken by specific employees.
Processes - For more managerial positions, processes are necessary. Processes are high-level descriptions of what needs to be done, as it is often difficult to reduce everything to a series of low-level instructions.
Baselines - Baselines are meant to describe the necessary accomplishments, without actually describing the actions themselves required to produce them. Baselines must usually be tailored to specific situations.
Best Practices - Best practices are examples of what the top firms in an industry are doing about security.

Question 58

How does segregation of duties impact procedures?

Answer 58

Segregation of duties, if it’s being honored, would require that a procedure not be undertaken entirely by one person, to prevent them from being unchecked and causing possible harm. Mind you, collusion between people can still make this happen, but this helps.

Question 59

How are best practices different than recommended practices?

Answer 59

Best practices are examples distilled from top companies, generally applied. Recommended practices are prescriptive statements about what companies should do.