CISSP (Domain 3 - Information Security Governance and Risk Management) Flashcards
4 Item for a Business Model for Information Security
OPPT
- Organization Design/Strategy
- People
- Process
- Technology
6 Interconnections for a Business Model in Information Security
(GCEEHA)
- Governance
- Culture
- Enablement & Support
- Emergence
- Human Factors
- Architecture
Corporate Governance
Set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, objectives achieved.
Plan Do Check Act (PDCA)
E/IO/MR/MI
Approach to continuous process improvement
- Establish ISMS
- Implement/Operate ISMS
- Monitor/Review ISMS
- Maintain/Improve ISMS
ISO 27001 (Governance)
PDCA model to structure the processes, and reflects the principals set out in the OECD guidelines
- How to implement
ISO 27002 (Governance)
AKA ISO 17799, basic outline of hundreds of potential controls and control mechanisms
- What should be secured
3 Goals of a Security Model
(long/mid/short)
(STO)
- Long Term: Strategic Goals (supported by med/short term, all PCs on VPN)
- Mid Term: Tactical Goals (Put in domains, add Firewalls)
- Short Term: Operational Goals (Patches)
Due Care
- *Do Connect
- Do the right thing and protect assets
- Functional Requirements
Due Diligence
- *Do Detect
- Senior Management
- Investigate actual threats and risks (Determine Risk Exposure)
- Assurance Requirements
CIA Triad
- Confidentiality: Prevent unauthorized disclosure of sensitive information
- Integrity: Prevent unauthorized modification of systems and information
- Availability: Prevent disruption of service and productivity
Confidentiality (CIA Triad) - Threats and Solutions
Threats:
- Hackers
- Malicious Software
- Social Engineering
- System Failure/Employee Error
Solutions:
- Identification
- AuthN
- AuthZ
Integrity (CIA Triad) - Threats and Solutions
Threats:
- Hackers
- Malicious Software
- Social Engineering
- System Failure/Employee Error
Solutions:
- Least Privilege
- Separation of Duties (SoD), prevents collusion
- Rotation of Duties (Mandatory Vacation)
Availability (CIA Triad) - Threats and Solutions
Threats:
- Deliberate Attacks
- System Failure/User Error
- Natural Disasters
Solutions:
- Redundancy
3 Reasons Why We Have Security Policies
OSR
- Objective/Goal or Purpose
- Scope
- Responsibility
What is a Security Policy
General statement products by senior management/board/committee to dictate what type of role security plays within the organization.
Security Policy Document Relationship
Drivers/MgmtSS/MgmtSD
- Drivers: Laws, Regulations, Best Practices
Program or Organizational Policy - Managements Security Statement: Program/Organizational Policy
- Managements Security Directive: Functional Policies (issue and system specific)
+ standards/procedures/baselines/guidelines
NIST SP 800-12: Program Policy
Programs security policy driving by Laws/Regulations/Best Practices. Large scope
NIST SP 800-12: Issue-Specific Policies
Addresses specific security threats management feels need more detailed explanation and attention.
Ex: Acceptable use of resources agreement, e-mail policy where management can read your email
NIST SP 800-12: System-Specific Policies
Includes two components: Security Objectives and Operational Security Rules.
Usually only on one system
Ex. Payroll and HR can only modify Payroll system
Regulatory Policy
Government ordinance, all who fall under must comply
Advisory Policy
NOT mandated by law. Company puts in place on self.
Informative Policy
Educate who reads the policy.
Ex: No smoking in the aircraft
4 Functions for Support Policies
SBPG
- Standards
- Baselines
- Procedures
- Guidelines
Standards - Supporting Policies
- Binding
- Common practice all adhere to (RHEL only)
Baselines - Supporting Policies
- Binding
- Min level of protection and security
- Password length 8 characters
Procedures - Supporting Policies
- Binding
- Set of instructions to meet policy
Guidelines - Supporting Policies
- non-binding
- Recommendation or suggestion to improve the overall quality of a policy
- Use ISO/ITIL
3 Cās of Data Classification
- Cost Value: Identified during risk analysis
- Classify: Organize according to sensitivity to loss or disclosure (Priority)
- Control: Data segmented into sensitivity levels (Level)
4 Commercial Data Classification Types
CPSP
- Confidential
- Private
- Sensitive
- Public
4 Military Data Classification Types
TSCU
- Top Secret
- Secret
- Confidential
- Unclassified
Difference Between Data Owner and Data Custodian
Data owner directs the data custodian on how to protect the data
Data Owners Responsibilities (2 things)
- Level of priority/classification to a resource. (what makes it special)
- Define level of protection of asset at the priority
Data Custodian Responsibilities (2 things)
- Implement controls that meet the level of protection needed
- Maintain the data and monitor
Risk Management (IAR) (RA/RM/CE)
The process of identifying, analyzing, and reducing the risk to an acceptable level.
- Risk Assessment
- Risk Mitigation
- Controls Evaluation
Risk Assessment
Identification of companies assets, associated risks, and potential loss the organization could suffer.
Asset - Risk Management
Any resource with value to the organization
Threat - Risk Management
Potential danger to an asset
Threat-Source/Threat-Agent - Risk Management
Anyone/thing that has the potential to cause threat
Vulnerability - Risk Management
Flaw or weakness of an asset
Risk
Likelihood of a threat agent taking advantage of a vulnerability
Exposure
An opportunity for a threat to cause loss (Firewall ports opened)
Event/Exploit
Instance of loss experienced
Loss
Real or perceived devaluation of an asset
Controls (2 types)
- Technical and nontechnical risk mitigation mechanisms (Safeguards/Countermeasures)
- Good controls reduce exposure
Safeguards
Preventative (proactive, avoid)
Countermeasures
Detective and corrective (reactive, respond)
4 Steps to Perform Risk Analysis
WC/HB/LR/HR
- What could happen
- How bad would it be (loss)
- Likelihood to be realized (chance)
- How real are they
NIST 800-30: Risk Assessment Activities (9 Steps)
SC/TI/VI/CA/L/IA/R/CR/D
- System Characterization (identify systems)
- Threat ID
- Vulnerability ID
- Control Analysis
- Likelihood (Will it happen)
- Impact Analysis (loss?)
- Risks
- Control Recommendations
- Documentation
Quantitative - Risk Approach
Assigning numeric/monetary values to risk ($$$$)
Qualitative - Risk Approach
Subjective rating assigned, opinion based,
Delphi Method - Risk Approach
People can express their ideas anonymously
Annualized Loss Expectancy (ALE)*
Tornado damage 50% of facility. Worth 200,000. Once in 10 years
SLE x ARO = ALE
Tornado damage 50% of facility. Worth 200,000. Once in 10 years
SLE: 200,000 x .50 = 100,000
ARO: 1/10 = .1 (remember x in # of years)
100,000 x .1 = 10,000 in countermeasures
Single Loss Expectancy (SLE)*
Asset Value (AV) x Exposure Factor (EF) = SLE
Annualized Rate of Occurrence (ARO)*
Value that represents the estimated possibility of a specific threat taking place
Exposure Factor (EF)
Percentage of asset loss caused by threat
Residual Risk
Risk after countermeasures or safeguards
Total Risk - Acceptable Risk = Residual Risk
Total Risk
Exposure before control put in place
Acceptable Risk
What āCā are ok with
Control Gap
Risk between Total Risk and Acceptable risk
3 Risk Mitigation Options(RTA)
- Reduce
- Transfer
- Accept
Cost-Benefit Analysis Formula
Tornado
- 10k Asset
- 1k deductible
- 2k year policy
Value of the control of the company
Tornado
- 10k Asset
- 1k deductible
- 2k year policy
ALE Before - ALE After - Annual Cost of Control
10k - 1k - 2k = 7k cost benefit
Security Awareness Training
- Employees wont follow them unless they know about them
- Employees must know expectations and ramification if not met
- Employee recognition award program
- Part of due care
- Administrative control
2 Approaches to Security Management
TD/BU
- Top-Down: Senior management directed (ISC^2)
- Bottom-Up: IT defines
