Domain 1: Security and Risk Management Flashcards
3 main elements of Security Program
People, Process, Technology
Important for people
training, knowledge/skill set, company culture
important about process
controls how people interact with the technology
Information Security Triad
Confidentiality, Integrity, Availability
cost v. performance
always a balance between levels of security and performance. Security will reduce performance.
Confidentiality
Prevent unauthorized disclosure
Integrity
Prevent unauthorized modification
Availability
Timely access to resources
Why implement security?
to support the mission of the organization. Not security for security sake
GRC
Governance, Risk, Compliance
Why GRC Came about
Response to widescale fraud and unethical behaviors of organizations in the early 2000s. Open Compliance & Ethics Group (OCEG) provided open standards addressing GRC
Culpable Negligence
Not doing something a reasonably cautious person would do
Due Care
Acting on the research to show you have acted prudently
Due Care
Acting on the research to show you have acted prudently
Prudent Person Rule
You have used due diligence and due care to take reasonable actions, responsibly and cautiously
Ulimate Responsibliity/Liability
Senior Management
Information Security Frameworks
Provide standard set of IS requirements to guide organizations; foundation, structure
ISO 27001 has how many domains
14
ISO 27001
Specifies requirements for establishing, implementing, maintaining, and improving an IS Management system within an organization
GDPR
General Data Privacy Regulation
Who adheres to GDPR
Not the US, more popular in Europe
Goal of GDPR
Protect the Rights of data subjects
Data subject
person the data pertains to
Timeline for Breach Disclosure under GDPR
72 hours to notification
Seven Steps of the NIST CSF
Prioritize and scope, Orient, Create a current profile, Conduct a Risk Assessment, Create a Target Profile, Determine analyze and prioritize gaps, implement action plan
Gap Analysis
Identifying and prioritizing gaps between where you are and where you want to be
5 goals of NIST CSF
Identify, Protect, Detect, Respond, Recover
CMMI Five Maturity Levels
Initial, Developing, Defined, Managed, Optimized
CMMI Maturity Model
Identifies Maturity of Technology, Process, and People
CMMI Level 1
People are unstaffed or uncoordinated, no formal security program, no security controls exist
CMMI Level 2
Infosec leadership established, Basic governance and risk management process/policies, some controls in development with limited documentation
CMMI Level 3
Some roles and responsibilities established, organization wide processes and policies in place with minimal verification, more controls documented and developed, over reliant on individual efforts
CMMI Level 4
Increased resources and awareness, clearly defined roles and responsibilities, formal infosec committees, verification and measurement processes, controls monitored, measured for compliance but uneven levels of automation
CMMI Level 5
Culture supports continuous improvements, processes comprehensively implemented, risk based and quantitatively understood, controls comprehensively implemented and automated
Information Security Program Steps
Provide means for achieving strategy, policies/standards/procedures/guidelines, controls and control objectives, 3rd party governance, data classification/security, Certification and Accredidation (aka Assessment and Authorization), auditing
Corporate Policy
Comes from senior leadership, expresses their vision for security
System Specific Policy
Every system or role of system should have their own policy
Issue Specific Policy
Policy focusing on a specific issue ex. Change Management Policy
List of Issue Specific Policies
Change Management Acceptable Use policy privacy Data/System Ownership Separation of Duties Mandatory Vacations Job Rotation Least privilege need to know dual control M of N control
Change management policy
discusses how to manage and approve changes to the system
Acceptable Use policy
Policy stating how to use system resources and restrictions
Privacy policy
Pertains to employee privacy and notification of employees
Data/System Ownership Policy
Data is more important for security, policy states who has security ownership as it pertains to systems and data
Separation of Duties
Prevents any 1 individual from being too powerful, separates duties and forces collusion (multiple people coming together to perform an action)
Mandatory vacations
Only in finance, mandates a set number of days in a row where employee can do absolutely no work actions or communications. Detective control
Job Rotation
Personnel rotation through positions to avoid knowing all the workarounds and provide cross-training
Least Privilege / Need to Know
Only allow people to perform actions they need to or access data they need to know
Dual Control
Takes multiple personnel to perform an action, identifies specific personnel
M of N Control
X out of Y personnel need to be present, more flexible than Dual Control
Standards, Procedures, and Guidelines difference
Standards and Procedures are mandatory, guidelines are not.
Strategic Policy Framework pieces
Driven by senior management. Org Drivers, Principles, Policies
Tactical Policy Framework pieces
Standards, Guidelines, Procedures, and Baselines
Compensating control
When plan A doesn’t work or provide a full and complete solution
Control Objectives
understanding of the long-term objectives of an organization. strategy should describe a well-articulated vision of the desired outcomes for a security program through SMART objectives
Senior Management Responsibilities
Provide oversight
Provide funding and support
Ensure Testing
Prioritize Business functions
establish a common vision/strategy/framework
Sign off on policy, BIA (business impact analysis), and other organizational documents
Steering committee Responsibilities
Oversight of Information Security Program
Act as liaison b/w management, business, IT, and IS
Assess and incorporate result of risk assessment
Into the decision-making process
Ensure all stakeholder interests are addressed
Oversees compliance activities
Chief Informational Officer Responsibilities
Strategic Planning Policy development technology assessments process improvements acquisitions capital planning security
Chief Information Security Office (CISO) Responsibilities
Responsible for the CIA Triad Usually reports to the CIO Conduct risk assessments program management loss prevention incident management security operations
Information Security manager Responsibilities
Functional manager responsible for achieving and determining the how
Play a leading role in introducing an appropriate methodology
Act as major consultants in support of senior management
Busines Managers Responsibilities
The Data owners
Responsible for business operations. individual lines of business
provide direction to ensure security is implemented in such a way to meet objectives
responsible for security enforcement and direction
responsible for the day to day
Security Practitioners Responsibilities
Responsible for implementation of security requirements
Support or use the Risk management process to identify and assess new potential risk and implement new security controls as needed
Auditors Responsibilities
Evaulation of controls and policies
Can be internal or external
Document, not modify
Security Trainers Responsibilities
Understnad the risk management process
develop training materials
conduct security trainings and awareness programs catered to roles within the org
incorporate risk assessment into training programs to educate end users
encourage users to report violations
Information Security Risk Management
ISRM, process of managing risks associated with the use of information technology; identifying assessing and treating risks to the CIA of organization’s assets
Asset
Anything of value to the company
Vulnerability
A weakness, the absence of a safeguard
Threat
Something that could pose loss to all or part of an asset
Threat Agent
What carries out the attack
Exploit
An instance of compromise
Risk
The probability of a threat materializing
Controls
Physical, Administrative, and Technical Protections
Safeguards
Deterrents or Preventive Controls
Countermeasures
Detective or Corrective Controls
Total Risk
The risk that exists before any control is implemented
Residual Risk
Risk that is left after applying a control
Secondary Risk
When one risk response triggers another risk event
Incident
A risk event that has transpired
Risk Management Lifecycle
Identify, assess, mitigate, monitor
Risk Identification
First step in lifecycle, Discovery all of threats and vulnerabilities against assets. Record risks in a risk register
Risk Assessment
Second step in lifecycle, Determining loss potential. Probability * Impact
RIsk mitigation
Third step in lifecycle, How we respond based on risk assessment. Could be controls, removal of risk, or transferring risk
Risk Monitoring
Final step in lifecycle, ensuring risks stay in allowable range
Formula for Risk
Asset Value * Threat * Vulnerability = Risk
STRIDE Threats
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege
DREAD Vulnerabilties
Damage potential, Reproducibility, Exploitability, Affected user base, Discoverability
Qualitative Risk Assessment
Subjective analysis to help prioritize probability and impact of risk events. May use Delphi Technique (anonymous inputs from users)
Uses terms like high medium low; probability and impact
Produces a heat map
Quantitative Risk Assessment
Provides a dollar value to risk event
More difficult and requires a special skill set
Can’t exist on its own, depends on qualitative info
Asset Value (AV)
Dollar figure that represents what the asset is worth to the organization
Exposure Factor (EF)
Percentage of loss that is expected to result in the manifestation of an actual risk event
Single Loss Expectancy (SLE)
Dollar figure that represents the cost of a single occurrence of a threat instance
Annual Rate of Occurrence (AOR)
How often the threat is expected to materialize
Annual Loss Expectancy (ALE)
Cost per year as a result of the threat
Total Cost of Ownership (TCO)
cost of implementing a safeguard, includes initial cost and maintenance fees
Return on Investment (ROI)
money saved by implementing a safeguard; also known as value of safeguard/control
Single Loss Expectancy (SLE) Formula
AV * EF
ALE Formula
SLE * ARO
TCO Formula
Initial Cost of Control + Yearly Fees
ROI Formula
ALE before Control - ALE after Control - Cost of control
Steps for Quantitative Analysis
Assign Asset value (AV)
Calculate Exposure Factor (EF)
Calculate Single Loss Expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the Annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures
Key Performance Indicator (KPI)
Performance objectives for the system. not meeting objectives could be a sign of an incident
Key Risk Indicator (KRI)
A trigger for a risk
Provide early warning
Provide backward-looking view on risk events
Enable documentation and analysis of trends
Provide an indication of risk appetite and tolerance
Increase the likelihood of achieving strategic objectives
Assist in optimizing risk governance
Wassenaar Arrangement
Cryptographic software is allowed to non-government end-users of other countries
No exporting of strong encryption software to terrorist states
Import Restrictions
Some countries do not allow import of crypto tools with strong encryption unless a copy of the private keys is provided to law enforcement so they can break the encryption
HIPAA
Regulation of Health info for individuals
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)
Financial agencies required to protect financial information
Payment Card Industry Data Security Standard (PCI DSS)
Self regulated for credit card information
Parol Evidence
When agreement in written form, it contains all terms of the agreement. No verbal agreements can modify written agreement
