D1: Security & Risk Management Flashcards
CIA
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality prevents the unauthorized disclosure of data
Confidentiality assures least privilege and need to know
Integrity
Integrity assures no unauthorized modification is made to data from unintentional or malicious actions
Availability
Reliability assures that systems and data is reliable and timely, accessible, fault tolerant and has recovery procedures in place.
IAAA
Requirements for accountability
Identification: when a user claims their identity; used for access control
Authentication: testing a user’s identity via evidence
Accountability: associates actions to the person committing
Authorization: the rights an permissions provided to a person
Privacy
Level of confidentiality and privacy protections
An Organization’s Relationship with Risk
While it’s impossible to eliminate all risk, it’s important to get risk at an acceptable/tolerable level
A popular risk management framework is ISO 27005
To track risk, create baselines - the minimum standards
To reduce/prevent risk, and the budget is not constrained, spend more money on better tools
Responsibilities of ISO
- Documentation
- Computer Incident Response Team
- Security Awareness
- Communicate risk to upper management, as high as possible
- Educate organization that security is everyone’s responsibility
Control Framework Requirements
Consistent with approach & application Measurable ways to determine progress Standardized in one format Comprehension - covers end to end Modular - adaptive, layered and abstraction
Due Care
When an organization did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps as countermeasures / controls (safeguards).
The benefit of due care can be seen as the difference between the damage with or without safeguards in place - AKA doing something about the threats.
Failing to perform periodic security audits can result in the perception that due care is not being maintained.
Due Diligence
When an organization properly investigated all of its possible weaknesses and vulnerabilities AKA understanding threats
Patent Law
Patent law grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention
After 20 years the idea is open source of application
Copyright Law
Copyright law protects the expression of ideas but not necessarily the idea itself
Trade Secret
Something that is proprietary to a company and important for its survival and profitability (like formula of Coke)
No application to register?
Trademarks
Trademarks are words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M)
@10 Years
Wassenaar Agreement (WA)
Dual use goods & trade
International cryptographic agreement, prevent destabilizing
Computer Crimes
loss, image, penalties???
SOX - Sarbanes Oxley
Implemented in 2002 after ENRON and World Online
Requires independent review by contractors
Section 302: CEO’s and CFO’s can be sent to jail when information they sign is incorrect
Section 404: Requires internal controls assessment; describe logical controls over accounting files, good auditing and information security
COSO - framework for SOX 404 compliance
Corporate Officer Liability
Executives are held liable if the organization they represent is not compliant with the law
Negligence occurs if there is a failure to implement recommended precautions e.g. disaster recovery plan, background checks, information security, policy, laws and regulations
Treadway commission
???
COSO
Strong in anti-spam and legit marketing
Directs public directories to be subjected to tight controls
Takes an OPT-IN approach to unsolicited commercial electronic communications
User may refuse cookies to be stored, and user must be provided with information
Member states in the EU can make own laws e.g. retention of data
Incident
An event that has potential to do harm
Breach
An incident that results in disclosure or potential disclosure of data
Data Disclosure
Unauthorized acquisition of personal information
Event
Threat events can be accidental/intentional exploitations of vulnerabilities.
ITAR
????
FERPA
????
GLBA
Graham, Leach, Bliley; credit related PII
ECS
Electronic Communication Service (Europe)
Notice of breaches
Fourth Amendment
Basis for privacy rights
1974 US Privacy Act
Protection of PII on federal databases
1980 Organization for Economic Cooperation and Development (OECD)
Provides for data collection, specifications, specifications
1986/1996 US Computer Fraud and Abuse Act
Trafficking in computer passwords or information that causes a loss of $1K or more or could impair medical treatment
1986 Electronic Communications Privacy Act
Prohibits eavesdropping or interception w/o distinguishing private/public
1994 Communications Assistance for Law Enforcement Act (CALEA)
Amended the electronic communications privacy act of 1986.
CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use
1987 US Computer Security Act
Security training, develop a security plan, and identify sensitive systems on govt. agencies
1991 US Federal Sentencing Guidelines
Responsibility on senior management with fines up to $290 mil
Invoke prudent man rule
Address both individuals and organizations
1996 US Economic and Protection of Proprietary Information Act
??
1996 US National Information Infrastructure Protection Act
Encourage other countries to adopt similar frameworks
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
Congress amended HIPAA by this Act
Updated many of HIPAA’s privacy and security requirements
Changed the way the law treats business associates (BA), organizations who handle PHI on behalf of a HIPAA covered entity
Business Associate Agreement: Any relationship between a covered entity and a BA must be governed by a written contract (BAA)
Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity
HITECH also introduced new data breach notification requirements
ISC2 Code of Ethics Canons
Protect society, the commonwealth and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
Internet Advisory Board (IAB)
????
Ethics and Internet (RFC 1087)
Don’t compromise the privacy of users
Access to and use of Internet is a privilege and should be treated as such
It is defined as unacceptable and unethical if you, for example, gain unauthorized access to resources on the internet, destroy integrity, waste resources or compromise privacy.
Business Continuity Plan - Development
Defining the continuity strategy
Computing strategy to preserve the elements of HW/SW communication lines/data/application
Facilities: use of main buildings or any remote facilities
People: operators, management, technical support persons
Supplies and equipment: paper, forms HVAC
Documenting the continuity strategy
BIA - Business Impact Analysis
Goal is to create a document to be used to help understand what impact a disruptive event would have on the business
Gather Assessment Material:
- Org charts to determine functional relationships
- Examine business success factors
Vulnerability Assessment
- Identify Critical IT resources out of critical processes
- Identify disruption impacts and MTD (Max Tolerable Downtime)
- Quantitative Loss (revenue, expenses for repair)
- Qualitative Loss - competitive edge, public embarrassment
- Presented as LOW, MEDIUM, HIGH
Analyzed the compiled information
- Document the process
- Identify inter-dependability
- Determine acceptable interruption periods
Documentation and Recommendation
Separation of Duties
Assignment of different parts of tasks to different individuals so no single person has total control of the system’s security mechanisms
Prevents collusion
M of N Control
A requirement that a minimum number of agents (M) out of a total number of agents (N) work together to perform high-security tasks
Ex: Implementing 3 of 8 controls would require three people out of the 8 with assigned work task of key escrow agent to work together to pull a single key of the key escrow database.
Least Privilege
A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest amount of time
Read-Only, Read/Write and Access/Change
Two Man Control
Two persons review and approve the work of each other, for every sensitive operation
Dual Control
Two persons are required to complete a task
Rotations of Duties
Limiting the amount of time a person is assigned to perform a security related task before being moved to a different task to prevent fraud
Reduces collusion
Mandatory Vacations
Prevents fraud and allows for investigations
One week minimum
Kills processes
Need to Know
The subject is given only the amount of information required to perform an assigned task, business justification
Employment
Staff members pose more threat than external factors
- loss of money
- stolen equipment
- loss of time work hours
- loss of reputation
- declining trusts and loss of resources
- bandwidth theft
- due diligence
Voluntary and Involuntary - Exit Interview
Agreements
NDA
Acceptable Use
No Compete
Third Party Controls
Vendors
Consultants
Contractors
Ensure Vendors are properly supervised, rights based on policy
Risk Management Concepts
Threat - damage
Vulnerability - weakness to threat vector (never does anything)
Likelihood - probability it will happen
Impact - overall affects if it happens
Residual Risk - amount leftover
Organization owns the risk
Risk is determined by a byproduct of likelihood and impact
ITIL
ITIL - best practices for IT core operational processes, not for audit
- Service
- Change
- Release
- Configuration
Strong end to end customer focus/expertise
About services and service strategy
Risk Management Goal
The goal of risk management is to determine the impact of the threat and risk of threat occurring and to reduce risk to an acceptable level
Risk Assessment Steps
- Prepare for Assessment (purpose, scope, etc.)
- Conduct Assessment
- ID threat sources and events
- ID vulnerabilities
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk - Communicate Risk/Results
- Maintain Assessment/regularly
Types of Risk
Inherent Risk: chance of making an error with no controls in place
Control Risk: chance that controls in place will prevent, detect or control errors
Detection Risk: chance that auditors won’t find an error
Residual Risk: Risk remaining after a control is in place
Business Risk: Concerns about effects of unforeseen circumstances
Overall Risk: combination of all risks aka Audit Risk
Preliminary Security Examination (PSE)
Helps to gather the elements that you will need when the actual risk analysis takes place
Risk Analysis Steps
- Identify Assets
- Identify Threats
- Calculate Risks
Risk Assessment Steps
- Prepare
- Perform
- Communicate
- Maintain
Qualitative Risk Analysis
????
SLE
Single Loss Expectancy
SLE = Asset Value * Exposure Factor
Exposure Factor
Percentage loss of an asset
ARO
Annualized Rate of Occurrence
ALE
Annual Loss Expectancy
SLE * ARO
Loss
Probability * Cost
Quantitative Risk Analysis
Mitigate: Reduce risk by implementing controls
Assign: insure the risk to transfer it
Avoid: Stop business activity