Domain 1: Security and Risk Management Flashcards
3 main elements of Security Program
People, Process, Technology
Important for people
training, knowledge/skill set, company culture
important about process
controls how people interact with the technology
Information Security Triad
Confidentiality, Integrity, Availability
cost v. performance
always a balance between levels of security and performance. Security will reduce performance.
Confidentiality
Prevent unauthorized disclosure
Integrity
Prevent unauthorized modification
Availability
Timely access to resources
Why implement security?
to support the mission of the organization. Not security for security sake
GRC
Governance, Risk, Compliance
Why GRC Came about
Response to widescale fraud and unethical behaviors of organizations in the early 2000s. Open Compliance & Ethics Group (OCEG) provided open standards addressing GRC
Culpable Negligence
Not doing something a reasonably cautious person would do
Due Care
Acting on the research to show you have acted prudently
Due Care
Acting on the research to show you have acted prudently
Prudent Person Rule
You have used due diligence and due care to take reasonable actions, responsibly and cautiously
Ulimate Responsibliity/Liability
Senior Management
Information Security Frameworks
Provide standard set of IS requirements to guide organizations; foundation, structure
ISO 27001 has how many domains
14
ISO 27001
Specifies requirements for establishing, implementing, maintaining, and improving an IS Management system within an organization
GDPR
General Data Privacy Regulation
Who adheres to GDPR
Not the US, more popular in Europe
Goal of GDPR
Protect the Rights of data subjects
Data subject
person the data pertains to
Timeline for Breach Disclosure under GDPR
72 hours to notification
Seven Steps of the NIST CSF
Prioritize and scope, Orient, Create a current profile, Conduct a Risk Assessment, Create a Target Profile, Determine analyze and prioritize gaps, implement action plan
Gap Analysis
Identifying and prioritizing gaps between where you are and where you want to be
5 goals of NIST CSF
Identify, Protect, Detect, Respond, Recover
CMMI Five Maturity Levels
Initial, Developing, Defined, Managed, Optimized
CMMI Maturity Model
Identifies Maturity of Technology, Process, and People
CMMI Level 1
People are unstaffed or uncoordinated, no formal security program, no security controls exist
CMMI Level 2
Infosec leadership established, Basic governance and risk management process/policies, some controls in development with limited documentation
CMMI Level 3
Some roles and responsibilities established, organization wide processes and policies in place with minimal verification, more controls documented and developed, over reliant on individual efforts
CMMI Level 4
Increased resources and awareness, clearly defined roles and responsibilities, formal infosec committees, verification and measurement processes, controls monitored, measured for compliance but uneven levels of automation
CMMI Level 5
Culture supports continuous improvements, processes comprehensively implemented, risk based and quantitatively understood, controls comprehensively implemented and automated
Information Security Program Steps
Provide means for achieving strategy, policies/standards/procedures/guidelines, controls and control objectives, 3rd party governance, data classification/security, Certification and Accredidation (aka Assessment and Authorization), auditing
Corporate Policy
Comes from senior leadership, expresses their vision for security
System Specific Policy
Every system or role of system should have their own policy
Issue Specific Policy
Policy focusing on a specific issue ex. Change Management Policy
List of Issue Specific Policies
Change Management Acceptable Use policy privacy Data/System Ownership Separation of Duties Mandatory Vacations Job Rotation Least privilege need to know dual control M of N control
Change management policy
discusses how to manage and approve changes to the system
Acceptable Use policy
Policy stating how to use system resources and restrictions
Privacy policy
Pertains to employee privacy and notification of employees