Chapter 4: Governance and Risk Management Flashcards
Security Programme
An ongoing management activity for the preservation and advancement of the organization
Most crucial element in a programme
Policies
Charter
Top of the policies and standards library; usually built by management; another word for a programme level policy
Policy informational elements (best practice)
Title,
Purpose
Authorizing individual,
Author,
Other policy references,
Scope,
Measurement expectations,
Exception process,
Accountability,
Compliance management (and measurements description)
Effective/expiration dates,
Definitions
Programme level policy
Management sponsored “mission statement”
Programme framework policy
Describes the elements and organization of the program and department(s) that will carry out the programme level policy
Issue specific policy
Addresses specific issues or sets of issues of concern to the organization. Can be regulatory or compliance oriented
System specific policy
Focuses on a specific system, such as an access system, a particular piece of equipment, or legacy items
PLP Purpose
Defines goals of the program and structure. My designate high level departments or offices
PLP Scope
Specifies which resources, information, and personnel are covered
PLP Responsibilities
Addresses which officials, offices, owners, and users are responsible for which tasks and own which information and to what degree
PLP Compliance
Authorizes creation of guidelines for penalties or disciplinary actions for those who do not fulfill their responsibilities
Must account for both willful and unwillful noncompliance
PFP - Descriptive Points
More stable long term than an issue specific policy
Can address multiple semi related issues in one shot
Examples include business continuity planning, application development security frameworks, physical security requirements for data centers, etc
ISP- Issue Statement
Defines the issue and includes any relevant terms, distinctions, or conditions
ISP - Position
States an organization’s position clearly on the issue
ISP - Applicability
States when, where, how, to whom and to what a particular policy applies
ISP - Roles and Responsibilities
Assigns roles and responsibilities within the issue
ISP - Compliance
Describes penalties and disciplinary actions in cases of violation. May require coordination with collective bargaining bodies.
ISP - Points of Contact and Supplemental Info
Lists who to talk to if more information is required or if an issue requires an interaction (a manager, administrator, etc)
Security Objectives
Series of statements to describe meaningful actions about specific resources; connected to
Operational Security
Nuts and bolts of who can access which things and when
Formal policies
Security role assignments, access lists, anything controversial
Policy implementation
Requires both hardware and software as well as the human element… how do you actually achieve the granular level of the thing you want?
Regulations
Laws passed by regulators or lawmakers (GLBA,HIPAA, etc)
Standards and baselines
Topic specific (standards) or system specific (baselines) that describe how to achieve a particular security state; NIST, etc. What auditors are looking for when they audit a company
Guidelines
Best practices (often from industry) in implementing a preferred state of security
Procedures
Step by step instructions for a process; ensures repeatability
ISO/IEC 17799
Common set of standards used to describe domains similarly to CISSP; suggestive in nature
British Standard 7799
More specific that ISO/IEC 17799; places specific dictates about how to meet general principles or areas of responsibility
Control Objectives for Information and Related Technology (COBIT)
Standards preferred by many IT auditors
Public information
Marketing content on a website, directories of contact information, published reports
Business sensitive/confidential
Comapny directories, GALs, internal policies, invoice info
Customer confidential
Any customer PII, SSN, credit card numbers, account activity, purchase activity, grades
Trade secret
Secret recipes, disciplinary actions, proprietary info
Quantitative Risk Analysis
Independent set of risk metrics and statistics
Annualized Loss Expectancy (ALE)
Single loss expectency (SLE) multiplied by annual rate of occurance (ARO)
Qualitative Risk Analysis
Uses only estimates of potential loss and takes into account Threats, Vulnerabilities, and Controls
Threats (QRA)
Things that can go wrong or attack the system; always exists, can’t be eliminated
Vulnerabilities (QRA)
Makes a system more prone to attack or more likely to see a threat realized (combustible paper in a flammable zone, for example)
Controls (QRA)
Countermeasures for vulnerabilities; consist of deterrents, preventatives, correctives, detectives, and recoveries
Risk
Exists when there is the presence of a threat, a corresponding vulnerability, and the likelihood that someone will exploit them both
Three questions Risk Analysis asks
What am I trying to protect?
What is threatening my system?
How much time, effort and money am I willing to spend
