Domain 1: Information Security Governance Flashcards

1
Q
  • Define Governance
  • Steps
A

Governance - rules that run the organization (policies, procedures, standards). Set the direction and control organization’s activities

Failure of governance = predominant reason for failure in security

  1. senior Mgmt determines requirements, outcomes, and level of acceptable risk
  2. Security manager set control objectives to satisfy requirements
  3. Security manager determines how to move from current state to desired state (gap analysis)
  4. Create road map to identify specifics needed to achieve objectives
  5. Identify resources needed to navigate road map and implement strategy. Identify constraints
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ISO/IEC 27000

A

Requirements for managing information security management system (ISMS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Policies
  2. Standards
  3. Business Case
  4. Examples of internal and external factors that may effect threats, vulnerabilities, and exposures
A
  1. Policies
  • designed to mitigate risk
  • usually developed in response to perceived threat
  • state management intent and direction at high level
  • support strategic objectives.
  1. Standards
  • set boundaries for people, processes, procedures, and technologies
  • maintain compliance with policies
  • support achievement of organization’s goals and objectives
  • combined with other controls to create security baselines
  1. Business Case
  • captures the business reasoning for initiating project
  • identifies the needs and business purpose
  • encompass benefits, total cost of ownership (TCO), and risk for full cycle of project
  1. Internal and External Factors

Internal - people, business activities, financial capacity to absorb loss

External - market changes, emerging threats, new technologies, new regulations, attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Importance of Metrics

A
  • What cannot be measured cannot be managed.
  • Most important requirements for good metrics is to identify what information is needed at different organizational levels
  • First step is to establish metrics to determine what is meaningful to recipients. Then communicate and continuously monitor to appropriate personnel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Benefits of prudent management

A
  1. address increased potential for civil or legal liability due to inaccurate information or absence of due care
  2. assurance of policy compliance
  3. increase predictability and reduce uncertainty of business operations by lowering risk to acceptable level
  4. provide framework to optimize allocations of limited security resources
  5. level of assurance that critical decisions are not based on faulty information
  6. firm foundation for efficient and effective risk mgmt, process improvement, rapid incident response and continuity mgmt
  7. greater confidence in interaction with trading partners
  8. trust in customer relationships
  9. protect organization’s reputation
  10. better ways to process electronic transactions
  11. safeguard information during critical business activities, such as mergers and acquisitions
  12. mgmt of resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Six outcomes of Governance

A

ACRONYM: RRAPS-V

The objective of governance is to develop and manage security program that achieves these outcomes:

  1. Strategic alignment - aligning security requirements with enterprise requirements, supports business objectives and strategy

2. Risk Management - managing risk to an acceptable level

3. Value Delivery - security investments should be managed to optimize support of business objectives and deliver clear value to the organization; there should be clear standards and practices in place, baselines, and continuous improvement to the program;

4. Resource Optimization - document security processes and architectures. security architectures should be developed to define and use infrastructures to achieve security objectives efficiently. This promotes recognition of the resource needs.

5. Performance Measurement - monitoring and reporting to ensure objectives are achieved i.e. Metrics

6. Assurance process integration - integrating all functions with security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Relationship of Governance Elements

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Risk Capacity
  2. Risk Appetite
  3. Risk Acceptance vs risk appetite and risk capacity
  4. Residual Risk
  5. Risk Tolerance
  6. Risk Exposure
  7. Risk Register
  8. Inherent Risk
  9. Risk Transfer and at what impact and likelihood levels is this likely done?
A
  1. Risk Capacity - amount of loss an enterprise can tolerate without continued existence being called into question
  2. Risk Appetite - amount of risk an enterprise is willing to accept in pursuit of its mission
  3. Risk Acceptance vs risk appetite and risk capacity - Risk acceptance should not exceed risk appetite or risk capacity
  4. Residual Risk - Residual risk is the remaining risk after all mitigation efforts have occurred
  5. Risk Tolerance - the acceptable level of variation an organization is willing to allow for a risk
  6. Risk Exposure - the potential losses
  7. Risk Register - documentation of information discovered through risk analysis
  8. Inherent Risk - the risk that exists;
  9. Risk Transfer - process of assigning risk to another organization through purchase of insurance or outsourcing; commonly done with low likelihood high impact risks such as floods.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Information Security
  2. IT Security
  3. Cybersecurity
  4. Information Security Governance
A
  1. Information Security - deals with all aspects of information (written, spoken electronic) regardless of it being created, transported, stored or destroyed.
  2. IT Security - deals with security of information within boundaries of technology domain, in custodial capacity. IT is NOT the owner, IT owns the machinery that processes it. IT functions as a custodian for data owners
  3. Cybersecurity - sub discipline of of information security. includes both IT security and information security.
  4. Information Security Governance - scope and responsibilities should be clearly set in strategy and policies. Essential information security is supported by senior MGMT.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Governance, Risk Management, and Compliance (GRC)

A
  1. Governance - responsibility of senior MGMT and board of directors. focuses on creating mechanisms to ensure personnel follow established processes and policies
  2. Risk management - managing risk to acceptable level. identity potential risk and associated impacts. prioritize mitigation based on business objectives. Develop and deploy internal controls to manage and mitigate risk throughout the organization
  3. Compliance - record and monitor the policies, procedures, and controls needed to ensure policies and standards are being followed

Effective integration of GRC requires governance is in place before risk can be management and before compliance enforced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Business Model for Information Security (BMIS)
  2. Systems Thinking
  3. Holistic approach
A
  1. Business Model for Information Security (BMIS) - uses systems thinking to clarify complex relationships within the enterprise to more effectively manage security. Made up of elements and dynamic interconnections which form basis of the model and establish boundaries of an information security program and model how the program functions and reacts to internal and external change (looks at complex environments (i.e. GRC, policies, people, etc) and their relationships.)
  2. Systems Thinking - examine how systems interact, work, and why the whole is more than the sum of its parts
  3. Holistic approach - examine system as a complete functioning unit and not a sum of its parts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

BMIS 4 elements and 6 dynamic interconnections

A

***Elements

  1. Organization design and strategy - network of people, assets, and processes interacting with each other in defined roles and working towards common goal. The strategy specifies business goals and the objectives to be achieved. Sets the basic direction of the enterprise. The strategy should adapt to external and internal factors.
  2. People - defines who implements each part of the strategy. Internally, deals with recruitment, employee issues, termination. Externally, customers, suppliers, stakeholders have strong influence on enterprise
  3. Process - formal and informal mechanisms to get things done and a vital link to all dynamic interconnections. Identify, ensure, manage and control risk, availability, confidentiality, integrity, and accountability. Ensure processes meet business requirements, align with policy, is well documented, communicated, and reviewed periodically
  4. Technology - tools, applications, and infrastructure

***Dynamic Interconnections - actions and behavior can force the model out of balance or bring it back to equilibrium

  1. Governance - sets limits within which an enterprise operates and is implemented within processes to monitor performance, describe activities, and achieve compliance while also providing adaptability to emergent conditions (organization > process)
  2. Culture - pattern of behaviors, beliefs, assumptions, attitudes, and ways of doing things. It is learned and creates sense of comfort. Culture exists at an organizational level (policies, expectations). What is information considered, how is it interpreted, and what will be done with it? (organization > people)
  3. Enablement and Support - make processes usable an easy, be transparent to ensure people comply with technical security measures. policies, standards, guidelines should eliminate conflicts of interest, be flexible to support changing business objectives, and be easy to follow (Process > Technology)
  4. Emergence - implies developing, growing, evolving, and refers to patterns in life of enterprise. Introduces possible solutions (i.e. Feedback loops, process improvement, change control) (Process > People)
  5. Human Factors - people may not understand how to use technology or refuse to embrace technology. Can cause internal threats such as data leakage, data theft. Important to train all users (People > Technology)
  6. Architecture - comprehensive and formal encapsulation of the people, processes, policies and technology that comprise an enterprise’s security practices. Ensures defense in depth. The design describes how security controls are positioned and how they relate to the overall enterprise architecture. Consistent and cost-effective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Board of Directors
  2. Senior Management
  3. Business Process owners
  4. Steering Committee
  5. Chief Information Security Officer
A
  1. Board of Directors - it is essential the Board is involved with and provide oversight to information security. A common concern with the Board is liability. The Board is protected by insurance, however they must exercise due care. Neglecting to address risk is a failure of due care and therefore voids any protection. US Sarbanes-Oxley Act mandates every company on stock exchange to maintain an audit committee. The board is often the audit committee, monitoring internal controls - mainly financial controls.
  2. Senior Management - ensure organizational functions, resources, and infrastructure are available and properly utilized to fulfill directives of the board, regulatory compliance, etc.
  3. Business Process owners - responsible for aligning security activities to support business objectives
  4. Steering Committee - compromised of senior representatives of stakeholders/groups that are affected by security considerations. Security manager should ensure roles, responsibilities, activities, scope are clearly defined for those in the steering committee. Material should be reviewed and solutions should e discussed prior to full committee meetings. Subcommittees are encouraged. Main purpose is to come to consensus of priorities, objectives, trade-offs, balancing culture, effective communication channel
  5. Chief Information Security Officer - usually held by a c-level role. typically reports to CIO CEO and CTO
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NIST 800-30 Rev 1

A

Guide for conducting risk assessments describes the key roles of personnel who must support risk management process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. CIO
  2. CISO
  3. ISM
  4. SO/IO
  5. Business/Functional Managers
  6. IT Security Practitioners
  7. Security Awareness Trainers / SMEs
A
  1. CIO - responsible for IT planning, budgeting, performance and components under CISO/information security manager
  2. CISO - generally performs same functions as information security manager, but holds officer/executive status; reports to CEO, chief operating officer (COO) or board of directors (BOD)
  3. ISM - responsible for security program, including risk management; act as major consultants in support of senior management
  4. SO/IO - ensures control implementation, policy compliance, approve changes
  5. Business and Functional Managers - responsible for business operations, and IT procurement, authority for trade-off decisions
  6. IT Security Practitioners - network, system, application, database admins, computer specialists, security analysis, security consultants;
  7. Security Awareness Trainers - must understand organization’s objectives and process to develop training materials and incorporate requirements into training programs for end users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How ISM obtains senior management commitment to information security program

A

Once ISM has developed security strategy, senior management must approve the strategy/program.

  1. Educate senior management on how critical IT systems and information are to continued operation of the enterprise
  2. Be clear on what an appropriate level of support from senior mgmt includes
  • clear approval of policies, monitoring performance, supporting SAT, adequate resources and sufficient authority, treating information security as critical, high level oversight and control, addressing issues at senior mgmt/BOD meetings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Developing and presenting the Business Case

  • Business Case
  • Feasibility Study
  • Stage Gates or Kill Points
    • Formal presentations
  • 6 elements of Feasibility Study (PCR-AER)
A
  • Business case - provides the information required for organization to decide whether a project should proceed. The essential consideration is the value proposition or the cost-benefit analysis of moving forward with the project. Usually the first step or precursor to commencement of project
  • Feasibility study - initial business case derives from feasibility study. This is an early study of a problem to assess of a solution is practical and meets schedule and budget requirements.
  • Stage Gates/Kill Points - a well-planned project will have decision points where the business case is formally reviewed to ensure it is still relevant. If the business case changes throughout the project, it should be reapproved
  • Formal presentations - ISM conduct formal presentations for senior mgmt highlighting the following (aligning security and business obj; consequences of failing to achieve security obj; budget items; total cost of ownership TCO / ROI; define monitoring and auditing measures)
  1. Project scope - defines the problem and/or opportunity
  2. Current analysis - define and establish an understanding of the current system, process, or product. Strength and weaknesses of current product are identified
  3. Requirements - these are based on stakeholder needs and constraints maybe due to contractural and regulatory processes, end-user functional needs, etc
  4. Approach - the recommended software and/or system to satisfy the requirements. This step also identifies alternatives and rationale for why the preferred solution was selected
  5. Evaluation - addresses cost-effectiveness or value propositions of approach selected. The final report should include estimated total cost along with cost of alternatives (including man power hours, material facility costs, vendor contractor costs, project schedule, etc)
  6. Review - formal review of report with ALL stakeholders. Renders decision to approve or reject the project
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Governance of Third-Party Relationships

  • challenges
  • ISM responsibility
A
  • Challenges - cultural differences, technology incompatibles, incident response process, business continuity, disaster recovery
  • ISM clearly documents potential risks and possible impact of 3rd party relationships
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  • security metric vs technical metric
  • Risk assessments vs Metrics
A
  • metric - quantifiable entity that allows measurement of achievement of a process goal
  • security metric - degree of safety relative to a reference point
  • technical metrics - tactical operational mgmt of technical security systems (IDSes, firewalls, servers, etc). these metrics are of little value to mgmt as it says nothing about how well risk is being managed, policy compliance, etc
  • Full audits and risk assessments provide a snapshot of security whereas metrics are able to provide up to date information as requested
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Good metrics are SMART and MAC-RAP

A
  1. specific - based on a clear goal
  2. measurable
  3. attainable
  4. relevant
  5. timely

additional considerations - MAC-RAP

  1. meaningful
  2. accurate
  3. cost-effective
  4. repeatable
  5. actionable
  6. predictable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  • Value at Risk (VAR)
  • Return on Security Investment (ROI)
  • Annual Loss Expectancy (ALE)
  • Key Goal Indicator (KGI)
  • Key Performance Indicator (KPI)
  • Litmus Test
A
  • Value at Risk (VAR) - compute maximum probable loss in a defined period (day, week, year); 95-99% accuracy using Monte Carlo theory which inputs thousands of calculations of historical data to predict possible losses;
  • Return on Security Investment (ROI) - calculate ROI based on the reduction in losses resulting from a security control compared to the cost of the control (Amount Gained/Loss - Cost / Cost) x 100
  • Annual Loss Expectancy (ALE) - annualized loss base on probable frequency and magnitude of security compromise
  • Key Goal Indicator (KGI) - indicates whether goal has been met
  • Key Performance Indicator (KPI) - indicates how well process is performing to meet the goal
  • Litmus Test - reverse order evaluation to see if specific control can be tracked back to specific business requirement. Controls that cannot be tracked back should be re-evaluated and possibly eliminated
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Common Pitfalls of flawed decision making (12)

  1. overconfidence
  2. optimism
  3. anchoring
  4. status quo
  5. mental accounting
  6. the herding instinct/faddism
  7. False Consensus
  8. Confirmation Bias
  9. Selective recall
  10. biased assimilation
  11. biased evaluation
  12. groupthink
A

Common Pitfalls of flawed decision making

  1. overconfidence
  2. optimism
  3. anchoring - once a # has been presented to someone, that person will rely on that first value
  4. status quo - sticking with familiar or known approaches
  5. mental accounting - treating money differently depending on where it comes from, where it is kept, how it is spent (i.e. imposing cost caps on core business while spending freely on start up)
  6. the herding instinct/faddism - seek validation from others
  7. False Consensus - overestimate the extent that others share their views
  8. Confirmation Bias - seeking opinions that support one’s own beliefs
  9. Selective recall - remembering certain facts
  10. biased assimilation - accepting only facts that support current position
  11. biased evaluation - easy acceptance of evidence that supports one’s hypotheses and reject others
  12. groupthink - pressure for agreement in team based cultures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

COBIT 5

  • 5 principles (Mc-AES)
  • 7 enables (PPOC-ISP)
A
  • COBIT - a comprehensive framework for the governance and management of enterprise IT and extensively addresses IT security, governance, risk, and information security.
  • Based on 5 principles (Mc-AES)
  1. Meeting Stakeholder Needs - enterprises exist to create value for stakeholders by maintaining balance between benefit and risks
  2. Covering the Enterprise End-to-End - this framework will benefit all functions and processes within the enterprise
  3. Applying a Single, Integrated Framework - this framework aligns with many other frameworks
  4. Enabling a Holistic Approach - taking into account several interacting components. This framework defines 7 categories of enablers below (PPOC-ISP)
  5. Separating Governance from Management - Governance ensures stakeholder needs are evaluated to determine agreed-on enterprise objectives to be achieved setting direction through prioritization and decision making; monitoring performance and compliance; Usually responsibility of BOD. Management plans, builds, runs, monitors activities in alignment with objectives determined by BOD. Responsibility of Senior MGMT under leadership of CEO.

7 Categories of Enables below:

  • Principles, Policies, and Frameworks - vehicle to translate the desired behavior into practical guidance for day to day mgmt.
  • Processes - describe an organized set of practices and activities to achieve certain objectives to produce outputs in support of achieving goals
  • Organizational structures - decision making entities in organization
  • Culture, ethics, and behaviors - this is underestimated as a factor in an organization’s success
  • Information
  • Services, infrastructure, and applications
  • People, skills, and competencies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  • COBIT 5 Process Assessment Model (PAM) Maturity Levels
  • Capability Maturity Model Integration (CMMI)
A
  • COBIT 5 Process Assessment Model (PAM) - a tool used to assess current state and define a future desired state; conforms to ISO/IEC 15504-2 (Conducting a process assessment of each COBIT 5 process, resulting in 0 to 5 maturity level)
  • Capability Maturity Model Integration (CMMI) - frameworks that provides guidance to elevate performance. There are 5 levels:
  1. Initial - processes are unpredictable, poorly controlled, and reactive
  2. Managed - Processes are characterized for projects and if often reactive
  3. Defined - Processes characterized for the organization and is proactive
  4. Quantitatively Managed - Processes measured and controlled
  5. Optimizing - Focus on process improvement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  • Balanced Scorecard
A
  • Balanced Scorecard - a management system (not just measurement system) that allows organizations to clarify their vision and strategy. Uses 4 perspectives, each with metrics and goals:
  1. Learning and Growth
  2. Process
  3. Customer
  4. Financial
26
Q
  • Enterprise Information Security Architecture (EISA)
  • Examples of architectural approaches
  • Reference Architecture =
  • Reasons companies do not use EISA
A
  • Enterprise Information Security Architecture (EISA) is a subset of Enterprise Architecture (EA); to help ensure proper controls are implemented and integrated throughout the organization. Architectural Frameworks used to only address IT components; now they’ve evolved to address all business component. Utilizing EISA is a powerful tool in security strategy.
  • Architectural approaches that are inclusive of business processes that define the desired state are: COBIT 5, the Open Group Architecture Framework (TOGAF***), Bachman Enterprise Architecture, Extended Enterprise Architecture Framework (**E2AF) and SABSA* (derived from Zachman Framework)
  • Reference Architecture = Target Architecture
  • Reasons companies do not use EISA - expensive, time consuming, lack of understanding of potential benefits, and few competent security architects for successful implementation of EISA; This lack of integration has resulted in functionally less security integration and increasing difficulty in managing enterprise security efforts effectively. Several EISA frameworks evolve from existing EA frameworks.
27
Q

Risk can be expressed as ALE

A
  • Risk always carries a cost, controlled or not. It can be expressed as ALE
  • Annual Loss Expectancy (ALE) - the amount of potential loss times the likelihood of occurrence, showing the optimal level of control
28
Q
  • RTO
  • RPO
  • 2 ways to quantify acceptable risk
A
  • RTO - The amount of time allowed for the recovery of business function or resource after a disaster
  • RPO - quantifies acceptable amount of data loss; indicates earliest point in time to which it is acceptable to recover data;
  • An acceptability of risk can be quantified by determining RTOs of resources; this is informal way of determining the amount of time it takes to recover a critical system and the acceptable cost associated with it
  • Another way to estimate acceptable risk is through Business Interruption Insurance; the deductible and its cost;
29
Q
  1. How to determine current state of security
  2. Determine current risk
  3. Methods to conduct risk assessments
  4. BIA
  5. Ultimate objective for ISM
A
  1. Using the same methodologies to determine the strategy objectives, or desired state; this provides basis for gap analysis and allows organizations to periodically use the same methodologies to show progress towards meeting the objectives
  2. Risk assessments which include threat, vulnerability, and impact analyses;
  3. COBIT 5 for risk, NIST SP 800-30, ISO/IEC 27005, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  4. BIA is used to evaluate the current state and priorities; determine impacts to systems
  5. To meet stakeholder needs by providing business process assurance and minimizing impacts of adverse events
30
Q

How do you determine if a risk should be mitigated

A

cost benefit analysis

31
Q
  1. elements of a strategy
  2. roadmap
A
  1. current state, desired state, resources available, constraints
  2. steps taken to achieved desired state
32
Q

Developing a roadmap

  • Resources
  • Constraints
A
  • Current resources should be utilized when developing a security strategy to maximum use of existing assets and capabilities; resources can include policies, guidelines, controls, skills, training, BIA, risk analysis, etc
  • Constraints include
    Legal (laws), physical (capacity, space), ethics, culture, cost, time, personnel, etc
33
Q
  • Policies
  • Standards
  • Procedures
  • Guidelines
A

Policies and Standards are for governance and management; Procedures and guidelines are for the purview of operations

  • Policies - high level statement of management intent, expectation, and direction. Well-developed policies remain fairly static for long periods of time. “constitution” of security governance and must be clearly aligned with security objectives (i.e. ISSO shall prevent unauthorized access)
  • Standards - metrics; allowable limits on processes, people, technologies (i.e. password standard)
  • Procedures - responsibility of operations, intended for clarity; necessary steps to accomplish specific tasks; also includes expected outcomes, required conditions, and alternative steps if expected outcome is not met; steps should be clear (words such as “must” or “shall” denote mandatory actions; “should” denote actions that are not mandatory; “can” or “may” denote actions that are discretionary) (i.e. creating, changing, or resetting pw)
  • Guidelines - responsibility of operations; contains information that will be helpful in executing procedures; can include clarification of policies and standards, suggestions examples narratives, background information that would be useful to follow procedures;
34
Q

Quantitative Risk Analysis

  1. Exposure Factor
  2. Single Loss Expectancy (SLE)
  3. Annual Rate of Occurrence (ARO)
  4. Annual Loss Expectancy (ALE)
A
  1. Exposure Factor - % of asset loss that you can expect if an incident occurs.
  2. Single Loss Expectancy (SLE) - AV x EF
  3. Annual Rate of Occurrence (ARO) - How often you will get hit by specific incident this year
  4. Annual Loss Expectancy (ALE) - ARO x SLE = ALE
35
Q

Risk Management Steps

A
  1. Asset Identification
  2. Asset Classification
  3. Risk Identification - using scenarios/vulnerabilities to determine the range/outcome and nature of risk
  4. Risk Analysis - combines vulnerability and threat information to assess the risk of compromise; using BIA as part of the process (quantitative or qualitative processes)
  5. Risk Evaluation - determining if risk falls within acceptable level and establishing criteria for risk treatment
  6. Risk Identification
  7. Risk Assessment
  8. Risk Response
  9. Risk Monitoring
  10. Risk Reporting
36
Q

Total Cost of Ownership (TCO)

A
  1. Acquisition Costs
  2. Testing and Assessment Costs
  3. Recurring Maintenance Costs
37
Q

BIA terms

  1. MTD
  2. RTO
  3. RPO
  4. SDO
  5. AIW
A

BIA terms

  1. MTD - the amount of time a business can tolerate operation at a lowered processing level
  2. RTO - the amount of time it takes to bring the alternate site or process to functional level
  3. RPO - amount of data that a company can tolerate lowing
  4. Service Delivery Objective (SDO) - the reduced rate the system will be running at (i.e. ability to run at 80% processing power at alternate site)
  5. Acceptable Interruption Window (AIW) - the window of time you were not functioning and no processing occurs in this window. The maximum amount of time the system can be unavailable before compromising achievement of business objectives
38
Q

Steps of Compromise

A
  • Initial compromise - hacker gains access
  • Establishing a foothold - ensuring hacker can get in later either through back door or remote administration SW
  • Moving laterally - jumping from computer to server to router to another server
  • completing the mission - hacker has your data and did what they initially intended
39
Q

Types of Risk

  • Cascading Risk
  • Control Risk
  • Aggregated Risk
A
  • Cascading Risk - one failure leads to a chain reaction of failures
  • Control Risk - looking at controls that are impacted
  • Aggregated Risk - several minor vulnerabilities aggregate into a significant impact
40
Q

Strategy Resource

SABSA Security Architecture

A
  • Who, what, why, where, when, and how matrix developed by SABSA and E2AF
41
Q

Strategy Resource

Popular architecture framework: TOGAF

A

The Open Group Architecture Framework

Addresses the following four Architecture Domains (BAD-T):

  1. Business Architecture - defines business strategy, governance, processes
  2. Applications Architecture - blueprint for individual applications systems, interactions, and relationship to core business processes
  3. Data Architecture - structure of logical and physical data assets and the associated data management resources
  4. Technical Architecture - describes HW, SW, and NW infrastructure to support core, mission critical applications
42
Q

Strategy Resource

Types of Controls

  1. Non-IT Controls
  2. Countermeasures
  3. Layered Defenses/Defense in Depth
A
  1. Non-IT Controls - security controls still need to be developed for non-IT related information processes; including secure marking, storage requirements, etc
  2. Countermeasures - protection measure that directly reduce a vulnerability or a threat; these are considered as targeted controls
  3. Layered Defenses/Defense in Depth - multiple layers of defense; if one layer fails, the next layer should provide protection
43
Q

Strategy Resource

Technology must be teamed with policies, standards, procedures to achieve effective defenses against security incidents.

Be familiar with Defenses against system compromise

A
44
Q

Strategy Resource

Personnel Security

A
  • Extent and nature of BG investigations should be relevant to the sensitivity and criticality of the requirements of the position held otherwise privacy intrusion would be an issue. (ie.. extensive BG investigation on a receptionist)
  • Develop BG checking policy and standards and ensure they comply with legal and HR departments
45
Q

Strategy Resource

Organizational Structure

Centralized and Decentralized Approach

A
  • The ease or difficulty in developing security strategy relies on flexibility of organization; For constrained structures, developing a strategy could be seen as a threat.
  • In the past ISMs report to the CIO, but now it is C-level management (i.e. COO, CEO, or BOD). This is because 1. broad requirements of security is outside scope of CIO 2. CIO often focuses on cost and performance of IT and 3. In order for security to be effective, it must align with business rather then just technology
  • Centralized approach - concentration of authority at central points (better for smaller orgs)
  • Decentralized approach - delegation of an authority (more common in security, better for larger corps)
46
Q

Strategy Resource

  • Roles and Responsibilities
  • Skills
  • Audits
  • Compliance and Enforcement
A
  • Roles and Responsibilities - this should be made by ISM
  • Skills - more cost effective to choose a strategy that uses skills already available; may need to train or outsource if personnel lack skills needed; a skills inventory should be created by ISM
  • Audits - determines security deficiencies from controls and compliance perspective
  • Compliance and Enforcement - security violations are ongoing concern; developing procedures for handling them is part of developing the strategy; need senior mgmt support to enforce which is difficult; best to self report and have voluntary compliance, prioritizing compliance requirements to focus on greatest risk and impact when speaking to mgmt
47
Q
  • Strategy Resource*
  • Awareness and Education
A
  • people are the weakness in security;
  • training provides for improved security and understanding of security; better alignment with business objectives
  • challenge is defining what the appropriate skills are and how they need to be improved;
  • Finding employees with the right skills is tough and companies tend to hire people who are overqualified which is costly and usually ends in high turnover rates due to individuals not being challenged in their roles
  • Training should be targeted
48
Q

Strategy Resource

  • Vulnerability Assessment
  • Threat Assessment
  • Other Organizational Support and Assurance Providers
A
  • Vulnerability Assessment - From a technical standpoints, automated scans are used. From a strategy standpoint, comprehensive vulnerability assessments include physical elements - such as procedures, technologies, facilities, SLAs, legal, and contractual agreements. These are not frequently done
  • Threat Assessment - Although this is part of risk assessment; it is important element for consideration by itself; it is a proactive approach in considering viable threats (i.e. flood, fire, earthquake, etc); Instead of focusing on both vulnerabilities and threats - A threat profile focuses on threats that are relatively constant whereas vulnerabilities are dependent on changes to things like business, processes, technology, and users
  • Other Organizational Support and Assurance Providers - i.e. Legal, compliance, audit, insurance, DR, physical security, training, HR, CM, quality assurance; there are typically not well integrated; ISM should include strategic approaches to prevent gaps, duplication of efforts, cross purpose to assure one group does not undermine the other
49
Q

Strategy Resource

Insurance

  • 1st party
  • 3rd party
  • Fidelity insurance/bonding
A
  • Strategy resource to address some risk; mostly risks that are rare, high impact (i.e. floods, embezzlement, liability lawsuits, fires, etc)
  • First party - covers most sources and can include business interruption, direct loss, recovery costs
  • Third party - covers defense against lawsuits
  • Fidelity Insurance - embezzlement or theft
50
Q

Strategy Resource

  • BIA
  • Resource Dependency Analysis
  • Outsourced Services
A
  • BIA - determines the impact of losing support of any resource and is part of risk assessment process; impact is typically reduce to financial impacts; determines criticality and sensitivity of systems; provides basis for information classification and business continuity requirements
  • Resource Dependency Analysis - determines resources (systems, HW) and dependencies (input processes, data repositories) required by operations critical to the organization; similar to DRP and considers systems, HW, and SW required to perform specific functions; provides another perspective on criticality of resources; can be used in some situations over BIA;
  • Outsourced Services - common resource for developing security strategies; ensure the outsourced portion is not a critical SPOF or there is a viable backup plan in case of SP failure; cloud services are outsourced and present new risks; significant differences in culture, systems, technology, and operations between parties present host of security challenges ISM must identify and address;
51
Q

Security Constraints

  • Legal and Regulatory Requirements
    • Requirements for Content and Retention of Business Records
    • E-discovery
A
  • Legal and Regulatory Requirements - requirements depend on location; organizations may establish different security strategies for each regional division or base policy on the most restrictive requirements to be consistent across the enterprise;
    • Requirements for Content and Retention of Business Records - based on two things, business requirements for the record and legal/regulatory requirements for the record; Sarbanes-Oxley act has imposed various mandatory retention requirements; based on location
    • E-discovery - this is evidence obtained by email or other electronic communications in response to request or subpoena; If information has been archived without being classified and cataloged, retrieving data can be a daunting expensive task; consider retention policy to limit length of time certain information is retained or destroyed; based this on legal and regulatory requirements and business needs
52
Q

Security Constraints

  • Physical
  • Ethics
  • Culture
  • Organizational Structure
A
  • Physical - should consider personnel and resource safety to protect against environmental hazards (i.e. floods) and ensure adequate infrastructure capacity;
  • Ethics - customers and public perception of organization can have major impact on organization’s value; perceptions often influenced by location and culture;
  • Culture - internal culture is important; develop strategy to include a friendly culture
  • Organizational Structure - different reporting structures and authorities exist; cooperation among these functions is important
53
Q
  • Security Constraints*
  • Costs
A
  • Costs - strategy should consider most cost-effective way to save on time and money; companies usually justify spending based on project’s value, but in security it would be compliance with regulations and controlling a specific risk;
  • calculating ROI is one way to determine if something is worth implementing; calculating ROI is not a good strategy for determining if one should be compliant with regulations; ROIs should be used for determining of a method is worth implementing for mitigate a risk;
    • ways to calculate - ALE. ALE is estimating potential losses by a specific event and multiplying the probability of it in a year; the cost of the control and if the event were to occur within a year is the ROI;
54
Q

Security Contraints

  • Personnel
  • Resources
  • Capabilities
  • Time
  • Risk Acceptance and Tolerance
A
  • Personnel - resistance to significant changes or strategies may occur
  • Resources - consider available budget and manpower required for certain projects; TCO should be considered of full life cycle of technologies, processes and personnel
  • Capabilities - known capabilities of the organization should be considered when implementing strategy;
  • Time - meeting compliance deadlines;
  • Risk Acceptance and Tolerance - ways to measure include developing RTOs for critical systems through a BIA; comparing cost of downtime vs cost of recovery; through insurance where the amount of loss before insurance pays the claim is the acceptable risk; the cost of protection should never exceed the benefit derived
55
Q

Action plan to implement strategy

  • Gap Analysis
  • Policy Development
A
  • Action plan to implement strategy will require several projects and several gap analyses to determine current and desired states for each defined metric which will identify requirements and priorities for an overall road Map to achieve objectives and close gaps
    • CMMI or other methods are used to assess gap between current & desired state
    • Policy Development - this is primary element of governance; policies are likely to have a # of supporting standards; policies are the constitution of governance, they capture the intent, expectation, and direction of management; standards are the law; Policies should be directly linked to strategy objectives otherwise they need to re-evaluated and are considered contradictory; policies should rarely be more then a few sentences long and there should not be more then 2 dozen policies
56
Q

Action plan to implement strategy

  • Standards Development
  • Training and Awareness
A
  • Standards Development - standards set meaningful boundaries for procedures and guidelines, for people and events; they are the law to the constitution of policy; provide a measuring stick for policy compliance; They reflect acceptable risk and control objectives
  • Training and Awareness - evidence shows personnel are not aware of security policies and standards or the link between the two, even where they exist; important to have training that is tailored to specific individual groups; include understanding of the strategy objectives (KGIs), the processes and performance metrics (KPIs) and the elements that must occur to achieve the KGIs (CSFs)
57
Q

Action plan to implement strategy

  • Action Plan Metrics
    • KGI
    • CSF
    • KPI
    • General Metric Considerations
A
  • Action Plan Metrics - method to monitor and measure progress; achievement of milestones; a balanced scorecard, CMMI, or PAM can be used to determine the current state and perform gap analysis
  • Example used below to define KGI, CSF, KPI - Sarbanes-Oxley require regulatory compliance
    • KGI - define clear objectives and goals; (i.e. achieving Sarbanes-Oxley controls testing compliance mandates; completing independent controls testing compliance validation and attestation; preparing requirement statement of control effectiveness)
    • CSF - specific steps needed to accomplish the goals; (i.e. Identifying, categorizing, and defining controls; defining appropriate tests to determine effectiveness; committing resources to accomplish required testing)
    • KPI - tracking progress and having appropriate testing plans and reports; (i.e. Control effectiveness testing plans, progress in controls, results of testing controls)
    • General Metric Considerations - careful analysis of metrics should determine their relevancy; 3 categories - strategic, tactical, and operational. Senior management would be most interested in strategic metrics where as IT would be more interested in technical.
58
Q
  • Action Plan Intermediate Goals
A
  • Action Plan Intermediate Goals - near-term goals that align with overall security strategy are easy to determine once overall strategy has been completed; This is based on BIA determination of mission critical resources and state of security determined by gap analysis (i.e. CMMI); Near-term goals should align with long term
59
Q

Information Security Program Objectives

A
  • implementing the strategy with an action plan will result in an information security program; the objective of the information security program is to protect the interests of those relying on the information and protecting that information from compromise of confidentiality, integrity, availability, authenticity, and nonrepudiation
  • Confidentiality - disclosed only to those with a need to know
  • Integrity - protection from unauthorized modification
  • Availability - information is available and usable when needed and the system can appropriately resists attacks
  • Authenticity and Nonrepudiation - information exchanges between partners can be trusted
60
Q

4 ways to improve ISM role in the organization

A
  1. Obtain Management Commitment - helps senior management understand importance of security
  2. Business Case Development - provides information required for an organization to decide whether or not a project should proceed; provides justification for costs and worth of security
  3. Strategy Development - ensures strategic alignment, value delivery, and resource optimization
  4. Metrics - shows the organization is meetings its defined goals and providing value to the business
61
Q

ROLES - and their responsibilities summarized***

  • BoD
  • Executive Mgmt
  • Steering Committee
  • ISM / CISO
  • Auditors
A

BoD - Accountable / Ensure compliance

Executive Management (C-Level) — Monitor / Require

Steering Committee - Determine Priority, Identify issues, Review, Revise process

ISM/CISO - Enforce, Develop, Implement, Metrics

CISO - accountable roadmap/plans

62
Q

SABSA Contextual - who what when where how

A

“why” - risk, CSFs, motivation

“when” - criticality, time

“how” - dependency, process

“where” - logistics, location

“what” - assets