Domain 3: Information Security Program Flashcards
Describe the purpose of the charter
The core of the charter is the scope statement, which defines the security objectives included in the program and the portion of the organization covered by the program. The charter should also address the business purpose of the program, a statement of authority, roles and responsibilities, governance structures, documentation, enforcement mechanisms, and processes for periodic program reviews.
How are metrics used to assess the efficiency and effectiveness of the information security program.
Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs look at historical performance. Key goal indicators (KGIs) measure progress toward defined goals. Key risk indicators (KRIs) try to quantify the security risk facing an organization. KRIs look forward at future potential risks.
Explain how security training and awareness ensures that individuals understand their responsibilities.
Security training programs impart new knowledge to employees and other stakeholders. They should be tailored to meet the specific requirements of an individual’s role in the organization. Security awareness programs seek to remind users of the information they have already learned, keeping their security responsibilities top-of-mind.
Explain how information security must work closely with other business functions.
Security managers should cultivate relationships with other business leaders to ensure that security is well integrated with other business functions. This includes integrating with the human resources function for employee hiring, transfers, and termination. It also includes aligning with procurement and accounting functions for product and service acquisitions. Security leaders should also work carefully with other information technology leaders and the organization’s auditors.
How do you establish a New Program?
New cybersecurity managers in an organization without a mature security function may find themselves developing a program from the ground up. This effort should begin with the development of an information security strategy that identifies appropriate standards, conducts a gap analysis, and understands the threat environment.
With that strategy in hand, managers may begin to outline the set of initiatives required to bring the organization from its current state to the desired state of information security. As they establish the program, they should ensure that its work remains aligned with the information security strategy that guides their effort.
scope statement may be concise, communicating the nature of the program clearly to all employees. For example, a broadly defined security program might use this scope statement:
The information security program is responsible for securing the confidentiality, integrity, and availability of all information stored, processed, or transmitted by the organization in any form: physical or digital.
For example, many universities have associated health systems and those health systems often have separate information security functions. In that situation, the university’s main information security program might have a scope statement that describes this scope limitation:
The information security program is responsible for securing the confidentiality, integrity, and availability of all information stored, processed, or transmitted by the organization in any form: physical or digital. The program does not apply to elements of the University Health System governed by the UHS Cybersecurity Program.
How to developing a program charter?
With a scope statement in hand, information security managers may then begin creating the information security program charter. The charter is the organizing document for the cybersecurity program. Building on the scope, the charter outlines the parameters under which the program will function. Common components of an information security program charter include the following:
A scope statement identifying the scope of the information security program. This is simply reiterating the scope statement created for the program in a location where all interested stakeholders may reference it.
A business purpose clearly linking the information security program objectives to business objectives. For example, the University of Pennsylvania uses this business purpose statement in their Information Security and Privacy Program Charter (www.isc.upenn.edu/information-security-and-privacy-program-charter):
A statement of authority for a program does what?
A statement of authority for the program, normally delegating institutional authority to a specific individual. For example, the charter for the Wayne State University Information Security Program (https://tech.wayne.edu/docs/wsu-security-program-charter.pdf) does this as follows:
The Sr. Director of Information Security under the division of Computing & Information Technology is designated as the Chief Information Security Officer (“Program Officer”) responsible for coordinating and overseeing the Information Security Program.
Role of cybersecurity programs is MAINTAINING BUSINESS ALIGNMENT:
The role of cybersecurity programs is to enable organizations to meet their business objectives while protecting the confidentiality, integrity, and availability of information and systems. To achieve this purpose, cybersecurity managers must have an intimate understanding of the business and work diligently to align security efforts with business needs.
what is required to Maintain an Existing Program
Once an organization has an existing information security program, information security managers must operate and maintain that program. This involves monitoring the program to ensure that it remains in alignment with business objectives and the information security strategy as well as providing regular reporting to stakeholders.
Metrics and Monitoring of a security program are done how?
Organizations evaluate their security programs through the use of metrics that assess the efficiency and effectiveness of critical security controls. Metrics are measurements that provide insight into the health of a security program both at a single point in time and on a long-term basis.
Security programs use three primary types of metrics to demonstrate their effectiveness and the state of the organization’s security controls. These key indicators offer program management and operational metrics that evaluate the effectiveness and efficiency of the information security program
- Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs are mutually agreed-upon measures that evaluate whether a security program is meeting its defined goals. Generally speaking, KPIs are a look back at historical performance, providing a measuring stick to evaluate the past success of the program.
- Key goal indicators (KGIs) are similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored Social Security numbers (SSNs), a KGI might track the percentage of SSNs that have been removed.
- Key risk indicators (KRIs) are measures that seek to quantify the security risk facing an organization. KRIs, unlike KPIs and KGIs, are a look forward instead of back. They attempt to show how much risk exists that may jeopardize the future security of the organization.
User Training
Users within your organization should receive regular security training to ensure that they understand the risks associated with your computing environment and their role in minimizing those risks. Strong training programs take advantage of a diversity of training techniques, including the use of computer-based training (CBT).
What is User Training?
Users within your organization should receive regular security training to ensure that they understand the risks associated with your computing environment and their role in minimizing those risks.
What is Role-Based Training?
All users should receive some degree of security education, but organizations should also customize training to meet specific role-based requirements. For example, employees handling credit card information should receive training on PCI DSS requirements. Human resources team members should be trained on handling personally identifiable information. IT staffers need specialized skills to implement security controls. Training should be custom-tailored to an individual’s role in the organization.
There are two important components to your skill set development program?
There are two important components to your skill set development program:
Training programs help employees keep their skills current and develop skills in new areas of cybersecurity. You should allocate a portion of your budget to provide each employee with the training they need to keep their skills sharp and advance in their profession.
Certifications help employees validate their skills and are an important recruiting and retention tool. You recognize that or you wouldn’t be reading a cybersecurity certification book right now! As you develop the skills of your employees, provide them with opportunities to pursue certifications that both interest them and advance the organization’s security objectives.
What is Organizational Budgeting?
A budget is just a financial plan for the team. It outlines how much money is available to you over the course of the year and how you plan to spend that money.
Most organizations go through an annual budget planning cycle where the organization’s leadership decides the following year’s budget a few months before the year begins. This means that you’ll have to work backward and will often find yourself preparing a budget at least six months in advance of it going into effect. Or, looking at it another way, depending on where you are in the budget cycle, it could be up to 18 months until the next time that you receive a budget adjustment. That’s why planning in advance is so important.
There are two major approaches to budgeting?
Incremental budgeting approaches start with the prior year’s budget and then make adjustments by either raising or lowering the budget. If your organization uses this approach, you’ll frequently hear phrases like “We have a 3% budget increase this year” or “We’re cutting the budget by 5%.” It’s up to the manager to advocate for additional budget and to make the new numbers work.
Zero-based budgeting approaches begin from zero each year, and managers are asked to justify their entire budget, rather than start with the assumption that they will have the same amount of funding as they did the previous year.
Capital expenses (CapEx) are costs that an organization incurs as part of building out and maintaining its large assets. For example, if you buy or renovate a building, that’s a fixed asset, and the costs associated with it are capital expenses.
Other examples of capital expenses are:
Purchasing expensive computing equipment
Buying vehicles
Buying new multifunction printers
Operational expenses (OpEx) are
those costs of running the business day to day that don’t involve purchasing or maintaining an asset. The most common example of operational expenses are payroll costs. You’re paying your employees to run your business, but you’re not purchasing the employee, so your employees are not a financial asset. This makes payroll an operational expense.
Other examples of operational expenses are:
Electricity costs
Hardware maintenance agreements
Office supplies
Procurement
The procurement function in an organization is responsible for acquiring the products and services that the organization needs to carry out its business. It normally consists of a team of contracting and vendor management specialists who assist other departments with purchases, providing subject matter expertise on contracting and negotiation, and ensuring that the purchase complies with the organization’s requirements.
Vendor Evaluation
Vendors play an important role in the information technology operations of every organization. Whether it’s the simple purchasing of hardware or software from an external company or the provision of cloud computing services from a strategic partner, vendors are integral in providing the IT services that we offer our customers. Security professionals must pay careful attention to managing these business partnerships in a way that protects the confidentiality, integrity, and availability of their organization’s information and IT systems. This process, known as conducting vendor due diligence, protects us against many of the risks associated with acquiring hardware, software, and services.
Contracting
As organizations begin to increasingly use vendors for services that include the storage, processing, and transmission of sensitive information, they must pay careful attention to the vendor’s information management practices. Data ownership issues often arise in supplier relationships, particularly when the vendor is creating information on behalf of the customer. Agreements put in place prior to beginning a new vendor relationship should contain clear language about data ownership.
EMPLOYMENT AGREEMENTS
Organizations should use written employment agreements that spell out the employee’s responsibilities in many different areas. For the purposes of the CISM exam, you should know that this may include security-related responsibilities. Here are two specific areas that should be included in all employment agreements:
Nondisclosure agreements (NDAs), where the employee agrees not to disclose any confidential information learned during the course of employment, even after the employee leaves the organization
Asset return agreements, where the employee agrees to return all of the organization’s property at the end of employment, including both information and physical assets
Separation of Duties
The separation of duties principle states that sensitive business functions should require the involvement of at least two people. This reduces the likelihood of fraud by requiring collusion between two employees to commit fraud.
A common example of separation of duties is found in accounting departments. One way that employees might steal funds from the organization is to set up fake vendors in the system and then issue checks to those vendors for services that were never rendered. To prevent this, organizations typically separate the ability to set up a new vendor and issue a check to a vendor and say that no employee should ever have both of those privileges.
How are metrics are used to assess the efficiency and effectiveness of the information security program.
Know Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs look at historical performance. Key goal indicators (KGIs) measure progress toward defined goals. Key risk indicators (KRIs) try to quantify the security risk facing an organization. KRIs look forward at future potential risks.
Endpoint Security means what?
Endpoint devices, such as laptop and desktop computers, mobile phones, and tablets, are the front lines in cybersecurity defensive strategies. They’re at a high level of risk because they rest in the hands of end users who may intentionally or accidentally undermine the security mechanisms that protect these devices. For this reason, cybersecurity professionals pay careful attention to managing the secure configuration, monitoring, and management of endpoint systems.
Malware Prevention
Malicious software, or malware, is one of the most common threats to endpoints. Malicious software may invade a network, spreading under its own power, or it may arrive on a system when a user clicks a malicious link or installs unsafe software. Once it has a foothold on a system, malware may be used to gain control of system resources and to steal sensitive information.
Antimalware software uses two different mechanisms to protect systems against malicious software
Signature detection uses databases of known malware patterns and scans the files and memory of a system for any data matching the pattern of known malicious software. If it finds suspect contents, it can then remove the content from the system or quarantine it for further analysis. When you’re using signature detection, it is critical that you frequently update the virus definition file to ensure that you have current signatures for newly discovered malware.
Heuristic detection takes a different approach. Instead of using patterns of known malicious activity, these systems attempt to model normal activity and then report when they discover anomalies—activity that deviates from that normal pattern.
Endpoint Detection and Response is based on what four capabilities?
Today, virtually every system out there has basic malware protection installed. Organizations are now deploying more sophisticated tools, known as endpoint detection and response (EDR) platforms. EDR extends traditional malware protection to include four important capabilities:
Detecting security incidents
Containing incidents that are detected
Investigating contained incidents
Remediating endpoints back to their pre-compromised state
Data Loss Prevention
Data loss prevention (DLP) solutions provide technology that helps an organization enforce information handling policies and procedures to prevent data loss and theft. They search systems for stores of sensitive information that might be unsecured and monitor network traffic for potential attempts to remove sensitive information from the organization. They can act quickly to block the transmission before damage is done and alert administrators to the attempted breach.
DLP systems work in what two different environments?
Host-based DLP uses software agents installed on a single system that search the system for the presence of sensitive information. These searches often turn up Social Security numbers, credit card numbers, and other sensitive information in the most unlikely places! Detecting the presence of stored sensitive information allows security professionals to take prompt action to either remove it or secure it with encryption. Taking the time to secure or remove information now will be worth it in the long run if the device is lost, stolen, or compromised. Host-based DLP can also monitor system configuration and user actions, blocking undesirable actions. For example, some organizations use host-based DLP to block users from accessing USB-based removable media devices that they might use to carry information out of the organization’s secure environment.
Network-based DLP systems monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. They can then block those transmissions, preventing the unsecured loss of sensitive information. DLP systems may simply block traffic that violates the organization’s policy, or, in some cases, they may automatically apply encryption to the content. This automatic encryption is commonly used with DLP systems that focus on email.
DLP systems also have two different types of detection mechanisms that they use to identify sensitive data?
Pattern matching watches for the telltale signs of sensitive information. For example, if the DLP sees a number that is formatted like a credit card or Social Security number, it can automatically trigger an alert based on that pattern. Similarly, the DLP may contain a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and trigger when it sees those terms in a transmission.
Watermarking allows systems or administrators to apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags.
Configuration management
Configuration management tracks the way that specific endpoint devices are set up. Configuration management tracks both the operating systems settings and the inventory of software installed on a device. Change management programs provide organizations with a formal process for identifying, requesting, approving, and implementing changes to configurations.
Why is Baselining an important component of configuration management.
A baseline is a snapshot of a system or application at a given point in time. It may be used to assess whether a system has changed outside of an approved change management process. System administrators may compare a running system to a baseline to identify all changes to the system and then compare those changes to a list of approved change requests.
version control is an important component of configuration management.
Version control is also a critical component of change management programs, particularly in the areas of software and script development. Versioning assigns each release of a piece of software an incrementing version number that may be used to identify any given copy.
What artifacts are useful to create for configuration management?
Configuration management should also create artifacts that may be used to help understand system configuration. For example, diagrams often play an important role in helping security professionals understand how a system was designed and configured. These can be crucial when performing time-sensitive troubleshooting or incident investigations.
Together, change and configuration management allow technology professionals to track the status of hardware, software, and firmware, ensuring that change occurs when desired but in a controlled fashion that minimizes risk to the organization.
Patch Management
Applying patches to operating systems is critical because it ensures that systems are not vulnerable to security exploits discovered by attackers. Each time an operating system vendor discovers a new vulnerability, they create a patch that corrects the issue. Promptly applying patches ensures a clean and tidy operating system.
In Windows, the Windows Update mechanism is the simplest way to apply security patches to systems as soon as they are released. On Linux systems, administrators may take advantage of a variety of update mechanisms depending on their specific Linux distributions and organizational practices.
As a security administrator, you should not only ensure that your systems are configured to receive updates, you should also analyze the output of patch management processes to ensure that those patches are applied. Configuration management tools can assist you with automating this work. They also help you keep track of patches to the applications that you run in your organization.
What is system hardening
System hardening involves analyzing the default settings of your operating system and removing services and components that are not required to meet your business needs.
Remove unnecessary software and operating system components to configure the system for the least functionality required to perform its function. This is an activity known as reducing the attack surface. The fewer things you have installed on a system, the fewer opportunities for an attacker to exploit.
Lock down the host firewall to only allow access to those open ports and services that are intended for use by other systems.
Disable any default accounts and passwords that came with the operating system or applications you installed. These default accounts provide attackers with a starting point for brute-force attacks and, when configured with default passwords, will be quickly compromised if exposed to the Internet.
Verify that system configuration settings match best practices. On Windows systems, this may mean modifying registry settings to configure your system to meet minimum security requirements. On Linux systems, you may need to modify configuration files to perform similar hardening tasks.
Network Security
Networks also play a crucial role in an organization’s cybersecurity program. Endpoints, servers, and other devices all rely on the network to communicate with one another. Networks are often trusted to carry sensitive information within an organization. Cybersecurity professionals use a variety of controls to ensure the security of their networks.
Network Segmentation
Well-designed networks group systems into network segments based on their security level. This approach limits the risk that a compromised system on one network segment will be able to affect a system on a different network segment. It also makes it more difficult for a malicious insider to cause the organization damage.
Firewalls
Network firewalls serve as the security guards of a network, analyzing all attempts to connect to systems on a network and determining whether the request should be allowed or denied according to the organization’s security policy. They also play an important role in network segmentation.
Virtual LANs
Virtual LANs (VLANs) are an important network security control. VLANs allow you to logically group together related systems, regardless of where they normally exist on the network.
When you create diagrams of your desired network layouts, you typically place different functional groups in different network locations. Users in the accounting department share a network that is separate from users in the sales department and those in the IT department.
Network Device Security
Networks carry all types of data over both short and long distances. Whether it’s a transatlantic videoconference or an email across the room, many different networks carry the 1s and 0s that make communications work. Routers and switches are the core building blocks of these networks and require special security attention.
Switches do create networks, but they are limited to creating local networks. Switches generally operate at Layer 2 of the OSI model—the Data Link layer—where they work with MAC addresses only.
Some switches can perform limited functions at Layer 3 of the OSI model—the Network layer—where they can interpret IP addresses. In those cases, switches are beginning to take on the function of routers.
Switches
Network engineers use switches to connect devices to networks. They are simple-looking devices that contain a large number of network ports. Switches may be very small, with 8 or fewer ports, or they can be quite large, with 500 or more ports.
Switches are normally hidden away inside wiring closets and other secure locations. Each switch port is connected to one end of a network cable. Those cables then disappear into special pipes known as conduits for distribution around a building.
Switch administrators should implement some common practices to ensure the secure implementation of VLANs:
Implement VLAN pruning. Switches use a technology known as VLAN trunking to carry VLANs across the many switches that make up a network. This allows any switch port on the network to join any VLAN trunked to that switch. VLAN pruning implements the least privilege principle and only trunks VLANs to switches if the VLAN is needed on that switch. This requires a little more work on the part of network administrators, but it also reduces the risk of a compromised switch. For example, if you have a VLAN for the sales department and the sales department is contained within a single building, you should trunk that VLAN within the building but not into other buildings.
Block VLAN hopping. Malicious users may attempt an attack known as VLAN hopping to change from their authorized VLAN to one containing resources that they would like to attack. They might do this through a variety of means, but most rely on pretending to be a switch and asking the switch to trunk VLANs to the malicious user’s device. The countermeasures for this attack vary from device to device, but generally speaking, you should configure your switches to deny automatic VLAN trunking negotiation and only trunk VLANs when explicitly authorized by a network administrator.
Port Security
Port security protects against attackers disconnecting an authorized device from the wired network and replacing it with a rogue device that may eavesdrop on other users or attempt to access secure network resources. Port security works by limiting the MAC addresses that may be used on a particular switch port and requiring administrator intervention to change out a device. Port security works in two modes:
In static mode, the administrator manually configures each switch port with the allowable MAC addresses. This is very time-consuming, but this MAC filtering approach is the most secure way to implement port security.
In dynamic, or “sticky” mode, the administrator enables port security and then tells the switch to memorize the first MAC address that it sees on any given port and then restrict access to that MAC address. This makes configuration much faster but can be risky if you have unused but active switch ports.
Routers
Routers play a higher-level role, connecting networks together by serving as a central aggregation point for network traffic heading to or from a large network. The router makes decisions about the best paths for traffic to follow as it travels to its final destination. The router plays a role on the network that is similar to the way an air traffic controller organizes planes in the sky, sending them to their correct destination.
Routers also play an important role in network security. They are often located both physically and logically between the firewall and another network. Because they see traffic before network firewalls, they can perform filtering that reduces the load on the network firewall. Routers aren’t great at performing complex filtering, but network administrators can configure them to perform basic screening of network traffic. Routers share some common functionality with firewalls, but they are definitely not a substitute for firewall technology.
Firewalls differ from routers in several ways:
Firewalls are purpose-specific devices and are much more efficient at performing complex filtering than routers.
Firewalls have advanced rule capabilities. They allow you to create rules that are conditional upon the time of day, users involved, and other criteria.
Firewalls offer more advanced security functionality. They can incorporate threat intelligence, perform application inspection, and integrate with intrusion prevention systems to provide enhanced protection to a network.
How do VPNs work?
VPNs require an endpoint on the remote network that accepts VPN connections. Many different devices may serve as VPN endpoints, such as a firewall, router, server, or a dedicated VPN concentrator. All of these approaches provide secure VPN connections, but organizations that have high volumes of VPN often choose to use a dedicated VPN concentrator because these devices are efficient at handling VPN connections and can manage high-bandwidth traffic with ease.
If you don’t have a high volume of VPN traffic, you might choose to use the firewall, router, or server approach. If you go that way, be warned that VPN traffic requires resource-intensive encryption, and that unlike VPN concentrators, firewalls, routers, and servers usually don’t contain specialized hardware that accelerates encryption. Using them as VPN endpoints can cause performance issues.
When implementing a remote access VPN, administrators must choose from two different tunneling approaches:
In a full-tunnel VPN, any traffic leaving the remote device is sent through the VPN back to the home network and protected by encryption. This includes not only traffic headed back to the corporate network, but all web browsing and other activity as well.
In a split-tunnel VPN, some traffic is sent through the VPN while other traffic is sent out through the user’s local network. The routing policy is set by the VPN administrator. In most cases, they configure the split tunnel to send traffic headed for corporate systems through the VPN while allowing regular Internet traffic to go directly to the destination over the local network. This approach was set up to reduce the burden on VPNs and to conserve bandwidth.
Always-On VPN
Another emerging trend is the Always-On VPN. In this strategy, all corporate mobile devices are configured to automatically connect to the VPN whenever they are powered on. This takes control away from the end user and ensures that traffic leaving the device is always protected by strong encryption.
How does Asymmetric key cryptography work?
If Alice wants to send a message to Bob using public key cryptography, she creates the message and then encrypts it using Bob’s public key. The only possible way to decrypt this ciphertext is to use Bob’s private key, and the only user with access to that key is Bob. Therefore, Alice can’t even decrypt the message herself after she encrypts it. If Bob wants to send a reply to Alice, he simply encrypts the message using Alice’s public key, and then Alice reads the message by decrypting it with her private key.
