Chapter 3 - Information Security Framework Flashcards
Information Security Framework
The purpose of an information security framework is to ensure that appropriate control mechanisms are in place to manage effectively the information assurance across the enterprise.
Organization and Responsibilities
Day-to-Day - should be a nominated resource within the organization that has this responsibility (Usually CISO or InfoSec Manager) - should hold a position on the board of Directors
One board member will be overall responsible however it is the responsibility of any system user.
Statutory, Regulatory, and Advisory Requirement
Statutory requirements are legal requirements that must be fulfilled
Regulatory Requirements are often imposed by trade bodies, and these specify how an enterprise should operate to conform with certain standards.
Advisory Requirements may arise from gov agencies or utility companies and provide advice of what should be in place, but are not mandatory.
Policies, Standards, Procedures, and Guidelines
A Policy is a high-level statement of an organizations values, goals, and objectives in a specific area, and the general approach to achieving them. Non specific details - these are mandatory
A standard in more prescriptive than a policy. It quantifies what needs to be done and provides consistency in control that can be measured. Compliance with standards are also mandatory.
A procedure is a set of detailed working instructions and will describe what, when, how and by whom something should be done. Again this is obligatory.
Guidelines are not mandatory, but can provide advice, direction and best practice.
Information Assurance Policy
Every organization should have a (high-level) assurance policy that states the organization’s commitment to information assurance and what it expects to be done to protect its information assets.
Defense-In-Depth Vs Defense-In-Breadth
Defense-in-Depth is a principal that employs layers of security that build on one another. The most sensitive the information, the more complex the security controls in place. - Onion Model
Defense-In-Breadth - Is the idea that we must consider all the connections to any networks system - from third parties, byod, home workers etc - weakest point in chain is often the point of entry. - CoCo is relating to third party agreements
End User Code of Practice (Acceptable Use Policy)
The end user code of practice or acceptable use policy provides a readily acceptable way of communicating requirements to users. It should be published to all users that need to access the company’s systems.
Security Architecture and Strategy
An Information Security Strategy is a plan to take the assurance function within an organization from reality of where it is now to the aspired level.
Information Security Architecture can be used in conjunction with a strategy. The architecture translates organizational requirements for assurance into a set of controls that can be used to protect the enterprise’s information assets.
Security Incident Response Plan
A security Incident Response Plan is a set of instructions to help the organization detect, respond, and recover from an incident.
5 Stages of Managing a Security Incident
- Reporting
-Investigation
-Assessment
-Corrective Action
-Review
Security Standards & Procedures
The International Organization for Standardization (ISO)
International Electrotechnical Commission (IEC)
International Telecommunications Union (ITU)
The international Organization for Standardization (ISO) is the worlds largest developer of standards. It was founded to facilitate the international coordination and unification of industrial standards.
ISO Works in collaboration with the IEC, and ITU)
ISO/IEC 27000 Series (ISO27001 & ISO27002)
ISO/IEC 27000 Series is the current set of standards for information security management.
ISO27001 - Specifies the information system management requirements - formally certified.
ISO27002 - Code of practice for information security management.
Key Standards to Know (Part 1)
- ISO/IEC 27001
The standard for ISMS
- ISO/IEC 27002
Code of practice that provides implementation guidance for controls.
- ISO/IEC 27005
Focuses on information security management.
- ISO/IEC 31000
Standard for Risk Management.
- COBIT (Control Objective for Information and Related Technologies)
Framework for IT governance and management, often used in audits and compliance.
Key Standard to Know (Part 2)
- ITIL (Information Technology Infrastructure Library)
Focuses on IT service management
- NIST (National Institute for Standards and Technology)
Particularly the NIST Cybersecurity Framework (CSF)
- PCI DSS
Security standard for handling cardholder data
- GDPR
EU regulation for data privacy and protection
- DPA 2018 (Data Protection Act)
UK Implementation of GDPR
Key Standards to Know (Part 3)
- ISO/IEC 27017/27018
Cloud specific eviroments.
- ISO/IEC 22301
Business continuity
- ISO 15489
Records Management
- ISO 9001
Quality Assurance
5.
Key Bodies/Organizations
- ICO (Information Commissioners Office)
Uk’s independent authority for upholding information rights and enforcing data protection laws.
- ISF (Information Security Forum)
Independent, not-for-profit association that provides security best practice guidance.
- ISACA
Provides guidance, certifications (Like CISM, CRISC), and frameworks like COBIT.
- ENISA (European Union Agency for Cybersecurity)
Provides threat analysis and cybersecurity policy guidance across the EU.
- IETF (Internet Engineering Task Force)
Open standards organization that promotes internet protocols and standards, particularly at the network and transport layer. Maintains RFCs (Request for comments like HTTPS, DNS, TCP/IP)
- FIPS PUBS (Federal Information Processing Standards Publications)
Published by NIST and especially relevant to cryptography and encryption
- ETSI (European Telecommunication Standards Institute)
Standard for telecommunications, broadcasting, and electronic communications
