D1: Security and Risk Management Flashcards
ISC2 Code of Ethics Canons
- Protect society, the common good, necessary public trust and confidence, and the infrastructure of society
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to Principals
- Advance and protect the profession
Protects assets using important principles such as need to know and least privilege; prevents unauthorized disclosure
Confidentiality
Protects and adds value to assets by making them more accurate, more timely, more current, more meaningful; prevents unauthorized or accidental changes to assets such as information
Integrity
Protects critical assets based on value to ensure organizational assets are available when required by stakeholders
Availability
Proves assets are legitimate and bona fide, and verifies that they are trusted and verified. Proves the source and origin of important valuable assets. Also referred to as “proof of origin.”
Authenticity
Provides Assurance that someone cannot dispute the validity of something; the inability to refute accountability or responsibility. Also, inability to deny having done something
Nonrepudiation
Governance
Act of governing or overseeing the process of directing something. To allow the organization to achieve its goals and objectives focused on increasing the value of the organization.
Based on the Organization’s goals and objectives (creating new processes, new products, meeting compliance requirements, and so on.)
Corporate Governance
Include all those activities, initiatives, and programs that the security function will drive, initiate, and support, which should always aligned, focused, and contributing toward those corporate governance activities mentioned above that will ultimately increase the value of the organization
Security Governance
Looks at potential control elements and determines which ones are in scope
Scoping
Looks specifically at applicable-in scope-security control elements and further refines or enhances them so they’re most effective and aligned with the goals and objectives of an organization
Tailoring
Where the buck stops, ultimate ownership and liability, only one person or group can be accountable, sets rules and policies
Accountability
The doer, In charge of a task or process, multiple people can be responsible, develops plans and implements controls
Responsibility
Responsible for:
Ensuring that appropriate security controls, consistent with the organization’s security policy, are implemented to protect the organization’s assets
Determining appropriate sensitivity or classification levels
Determining access privileges
Owners / Controllers / Functional Leaders / Senior Management
Responsible for:
Design, implementation, management, and review of the organization’s security policies, standards, baselines, procedures, and guidelines
Information Systems Security Professionals / IT Security Officer
Responsible for:
Developing and implementing technology solutions
Working closely with IS and IT Security Professionals and Officers to evaluate security strategies
Working closely with Business Continuity Management (BCM) team to ensure continuity of operations should disruption occur
Information Technology (IT) Officer
Responsible for:
Implementing and adhering to security policies
IT Function
Responsible for:
Managing, troubleshooting, and applying hardware and software patches to systems as necessary
Managing user permissions, per the owner’s specifications
Administering and managing specific applications and services
Operator / Administrator
Responsible for:
Maintaining computer networks and resolving issues with them
Installing and configuring networking equipment and systems and resolving problems
Network Administrator
Responsible for:
Providing management with independent assurance that the security objectives are appropriate
Determining whether the security policy, standards, baselines, procedures, and guidelines are appropriate and effective to comply with the organization’s security objectives
Determining whether the objectives have been met
Information Systems Auditors
Responsible for:
Adherence to security policies
Preserving the availability, integrity, and confidentiality of assets when accessing and using them
Users
Accountable protection of assets based on and aligned with the goals and objectives of the organization
This definition aligns what security should be doing with what the organization should be doing. It aligns accountable protection of assets based on the goals and objectives of the organization. This is what due care means from a security perspective
Due care
Ability to prove due care to stakeholders-upper management, regulators, customers, shareholders, etc
Is what is done to prove due care on a regular basis to organization stakeholders
Due Diligence
Protects: Business Information
Disclosure Required: No
Term of Protection: Potentially infinite
Protects Against: Misappropriation
Trade Secret
Protects: Functional innovations Novel idea/inventions
Disclosure Required: Yes
Term of Protection: Potentially infinite
Protects Against: Making, using, or selling an invention
Patent
Protects: Expression of an idea embodied in a fixed medium (books, movies, songs, etc.)
Disclosure Required: Yes
Term of Protection: Set period of time
Copying or substantially similar work
Copyright
Protects: Color, sound, symbol, etc. used to distinguish one product/company from another
Disclosure Required: Yes
Term of Protection: Potentially infinite
Protects Against: Creating confusion
Trademark
Was put in place to manage the risk that cryptography poses, while still facilitating trade. It allows certain countries to exchange and use cryptography systems of any strength, while also preventing the acquisition of these items by terrorists
The Wassenaar Arrangement
This is a US regulation that was built to ensure control over any export of items such as missiles, rockets, bombs, or anything else existing in the United States Munitions List (USML). The responsible agency is the US Department of State, Directorate of Defense Trade Controls (DDTC)
International Traffic in Arms Regulations (ITAR)
Predominantly focuses on commercial-use related items like computers, lasers, marine items, and more. However, it can also include items that may have been designed for commercial use but actually have military applications. The responsible agency is the US Department of Commerce, Bureau of Industry and Security (BIS)
Export Administration Regulations (EAR)
Is the state or condition of being free from being observed or disturbed by other people
Privacy
Data that can be used on its own or in combination to identify an individual. ___ can be referred to as:
PI - Personal Information
PII - Personally Identifiable Information
SPI - Sensitive Personal Information
PHI - Protected Health Information
Personal data
Include information that relates specifically to an individual, such as their name, address, biometric data, government ID, or other uniquely identifying number
Direct identifiers
Include information that on its own cannot uniquely identify an individual but can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicators, and other descriptors. Other examples, place of birth, race, religion, weight, activities, employment, medical, education, and financial information
Indirect identifiers
Need to have clearly defined accountabilities including:
- defining classification
- approving access
- retention and destruction
Different types of owners:
- data owners
- process owners
- system owners
Companies that collect personal data about customers are accountable for the protection of the data
Data Owners
Need to have clearly defined responsibilities
Protect data based on input of the owners
Also need tools, training, resources, etc. And who provides all this? typically the owners
Data Custodians
Need to have clearly defined responsibilities
Processes personal data on behalf of the controller / owner
Data Processors
Individual to whom personal data relates
Data Subjects
A single set of rules applies to all EU member states
Each state establishes an independent Supervisory Authority (SA) to hear and investigate complaints
Data subjects shall have the right to lodge a complaint with a SA
Seven principles describe lawful processing of personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Privacy breaches must be reported within 72 hours
GDPR
What countries (privacy regulation)?
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes–Oxley Act (SOX)
Children’s Online Privacy Protection Act (COPPA)
California Consumer Privacy Act (CCPA) – Similar to the GDPR
California Privacy Rights Act of 2020
United States
What countries (privacy regulation)?
Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada
What countries (privacy regulation)?
Personal Information Protection Law
China
What countries (privacy regulation)?
Protection of Personal Information Act
South Africa
What countries (privacy regulation)?
Personal Data Protection Law Number 25,326 (PDPL)
Argentina
What countries (privacy regulation)?
Personal Information Protection Act (PIPA)
South Korea
What countries (privacy regulation)?
Australia
- Privacy Act
- Australian Privacy Principles (APPs)
As a Security Professional what you should understand about the privacy?
Privacy cannot be achieved without security. Security must be involved in implementing the required security controls to achieve the required privacy requirements
Is an international organization that is focused on international standards and policies, and finding solutions to social, economic, and environmental challenges. One such challenge that they have been driving for decades is privacy
Organization for Economic Cooperation and Development (OECD)
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
OECD’s privacy guidelines
Is a process undertaken on behalf of an organization to determine if personal data is being protected appropriately and to minimize risks to personal data as appropriate
Privacy Impact Assessment (PIA)
Why PIA is important?
A PIA is performed with a goal to:
- Identify/evaluate risks relating to privacy breaches
- Identify what controls should be applied to mitigate privacy risks
- Offer organizational compliance to privacy legislations
Privacy Impact Assessment Steps
- Identify the need for a DPIA
- Describe the data processing
- Assess necessity and proportionality
- Consult interested parties
- Identify and assess risks
- Identify measure to mitigate the risks
- Sign off and record outcomes
- Monitor and review
Article 35 of the GDPR offers the minimum features of a DPIA. The assessment shall contain at least:
- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects; and
- The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation considering the rights and legitimate interests of data subjects and other persons concerned.
List of the recommended compliance requirements of an organization:
- Laws
- Regulations
- Industry Standards
- Import/Export Controls
- Transborder Data Flow Regulations
- Assets
- Personal Data
- Corporate Policies
- Documents that communicate management’s goals and objectives
- Provide authority to security activity
- Define the elements, functions, and scope of security team
- Must be approved and communicated by management
- Corporate laws
Policies
Specific hardware and software solutions, mechanisms, and products.
Examples:
- Specific anti-virus software, e.g., McAfee
- Specific access control system, e.g., Forescout
- Specific firewall system, e.g., Cisco ASA
- Published guideline (e.g., ISO 27001) adopted by an organization as a standard
Standards
Step-by-step description on how to perform a task; mandatory actions.
Examples:
- User registration or new hire onboarding
- Contracting for security purposes
- Information system material destruction
- Incident response
Procedures
Defined minimal implementation methods/levels for security mechanisms and products.
Examples:
- Configurations for intrusion detection systems
- Configuration for access control systems
Baselines
Recommended or suggested actions.
Examples:
- Government recommendations
- Security configuration recommendations
- Organizational guidelines
- Product/system evaluation criteria
(Note: Guidelines allow an organization to suggest something to be done without making it a hard requirement and thus cause a negative audit finding).
Guidelines
Analyzes the consequences of a disaster to an organization and allows the organization to understand priorities and gather the information needed to develop recovery strategies
BIA (Business Impact Analysis)
As part of the BIA process, a company needs to map out the interdependencies between their critical functions, processes, assets, applications, systems, etc., as well as others that are outside of their control, such as suppliers, vendors, and other third parties.
External Dependencies
